Core Requirement 1 System of Internal Control over financial and
advertisement
November2014 tpp 14-05 Certifying the Effectiveness of Internal Controls Over Financial Information Policy & Guidelines Paper Certifying the effectiveness of internal controls over financial information tpp 14-05 Preface Under the Public Finance and Audit Act 1983 departments and statutory bodies must prepare financial reports in accordance with Australian Accounting Standards that exhibit a true and fair view of the financial position and financial performance of the department or statutory body. Further, AASB 101, Presentation of Financial Statements, requires entities to prepare financial statements “in a manner that provides relevant, reliable, comparable and understandable information.” High quality financial information is essential to support resource allocation decisions and financial management and reporting at the agency level. More broadly agency reporting is consolidated to provide a sector-wide financial position monthly and at year end. All financial information should be prepared to a high standard, including that provided throughout the year, as well as financial statements prepared at the financial year end. The quality of an agency’s financial information and financial reporting reflects the effectiveness of the systems, policies, procedures and practices that collectively underpin that information and reporting. In April 2010, NSW Treasury wrote to agencies advising that it was seeking to improve the accuracy and reliability of financial information. As part of this initiative, NSW Treasury requested that each agency Chief Financial Officer (CFO) provide an annual certification as to the effectiveness of its systems, processes and internal controls for ensuring that financial information provided to NSW Treasury is relevant and reliable. The annual certification, or Chief Financial Officer – Letter of Certification on the Effectiveness of Internal Controls over Financial Information (CFO Letter of Certification), must be provided by the CFO to the Agency Head with a copy to NSW Treasury. NSW Treasury recognises that there are opportunities to further strengthen the annual CFO Letter of Certification process and bring about greater rigour and consistency by setting minimum standards and providing additional guidance. This Policy and Guidelines Paper establishes a set of Core Requirements to ensure that agencies have clear accountabilities for the effectiveness of internal controls over financial information. The guidance in Part 2 outlines the fundamentals of an effective system of internal control and provides a framework for the annual CFO Letter of Certification. The Policy and Guidelines Paper also provides examples of checklists and templates to assist in the preparation of the CFO Letter of Certification. No two agencies are the same and their processes may be at different stages of maturity and involve different levels of complexity. While agencies must comply with the Core Requirements of the Policy, NSW Treasury requires agencies to adapt the questionnaires in the Annexures to suit their own circumstances. Many agencies already have existing processes underlying the CFO Letter of Certification. In these circumstances, I encourage you to benchmark existing processes against this guidance to identify gaps, if any, and implement strategies to address these gaps. Philip Gaetjens Secretary NSW Treasury Treasury Ref: ISBN: TPP 14-05 978-0-7313-3667-8 Note General inquiries concerning this document should be initially directed to Financial Management Policy Unit. Tel: 9928 4245, or email: cfocertification@treasury.nsw.gov.au This publication can be accessed from the Treasury’s website www.treasury.nsw.gov.au. New South Wales Treasury Page i Certifying the effectiveness of internal controls over financial information tpp 14-05 Contents Preface......................................................................................................................................... i Executive Summary................................................................................................................... 1 Acknowledgements ................................................................................................................... 3 Definitions .................................................................................................................................. 4 Part 1 Policy ......................................................................................................................... 6 Core Requirement 1 – System of Internal Control over financial and related operations............. 7 Core Requirement 2 – Annual Letter of Certification ................................................................... 7 Core Requirement 3 – Financial Information Internal Control Questionnaire............................... 9 Core Requirement 4 – Management and Third Party Certifications........................................... 11 Core Requirement 5 – Audit and Risk Committee Review ........................................................ 13 Part 2 Guidance on the fundamentals of an effective system of internal control over financial information ......................................................................... 14 2.1 A strong financial management culture including tone at the top ......................................... 15 2.2 Clear definition of financial reporting roles and responsibilities ........................................... 15 2.3 Financial reporting planning ................................................................................................. 17 2.4 Appropriate allocation of resources and competent staff for financial information and reporting functions ....................................................................... 18 2.5 Identification and monitoring of financial reporting compliance obligations .......................... 19 2.6 Financial information risk management ............................................................................... 20 2.7 Internal control activities for financial information and reporting .......................................... 22 2.8 Effective financial information management including proper record-keeping ..................... 25 2.9 Financial information and reporting performance monitoring and evaluation ....................... 25 2.10 Continuous improvement ................................................................................................... 26 Annexures .................................................................................................................................... Annexure A: Overview of annual certifications and attestations ................................................ 27 Annexure B: Letter of Certification Template ............................................................................. 28 Annexure C: Financial Information Internal Control Questionnaire ............................................ 30 Annexure D: Certifications from management ........................................................................... 42 Annexure E: Audit and Risk Committee Checklist ..................................................................... 50 Annexure F: Process Flowchart for compliance with the Core Requirements ........................... 52 Annexure G: Better Practice Checklist: Planning the preparation of financial statements ......... 53 Annexure H: Register of compliance obligations sample template ............................................ 54 Annexure I: Flowchart of steps in risk assessment and treatment ............................................ 55 References ............................................................................................................................... 56 New South Wales Treasury Page ii Certifying the effectiveness of internal controls over financial information tpp 14-05 Executive Summary The requirement for Chief Financial Officers (CFOs) to submit an annual Letter of Certification was introduced in 2010 as part of a series of initiatives designed to provide greater assurance as to the quality of financial information and reporting, both within agencies and as consolidated in the Total State Sector Accounts. The purpose of this Policy and Guidelines Paper is to: formalise the requirements for completion and submission of the CFO Letter of Certification concerning the effectiveness of internal controls over financial information provide guidance about the fundamental elements that contribute to an effective system of internal control over agency financial information and the process for assessing the effectiveness (including design effectiveness and operating effectiveness) of that system To support this purpose, the document has been structured in two (2) parts. Part 1 outlines the following five (5) mandatory Core Requirements: Core Requirement 1 The Agency Head must ensure there is an effective system of internal control over the financial and related operations of the agency Core Requirement 2 The CFO must provide the Agency Head with an annual Letter of Certification as to the effectiveness of the system of internal control over financial information. Once the Letter of Certification is accepted by the Agency Head, the CFO must ensure that a copy is provided to NSW Treasury Core Requirement 3 The CFO Letter of Certification must be supported by an Internal Control Questionnaire designed to assess the overall adequacy of the existing system of internal control over financial information and completed by the CFO Core Requirement 4 The CFO, when preparing the CFO Letter of Certification, must request and consider certifications provided by management and outsourced service providers Core Requirement 5 The CFO must submit a copy of the Letter of Certification and supporting documentation to the Audit and Risk Committee (ARC) for review at the same time as the Letter of Certification is submitted to the Agency Head. The ARC must review the Letter of Certification and provide advice to the Agency Head and, where applicable, to the governing board. It is mandatory for all material entities (other than State Owned Corporations) identified in the NSW Government Budget Papers (Budget Paper 2) as a “material entity controlled by the NSW Government” including departments, statutory bodies, and other entities to comply with the Core Requirements1. All State Owned Corporations have been submitting an annual CFO Letter of Certification to date and the majority of State Owned Corporations are understood to already have processes that closely align with the Core Requirements. State Owned Corporations are strongly encouraged however to comply with all of the Core Requirements and to benchmark their systems of internal control over financial information against the guidance in this Policy and Guidelines Paper. 1 Core Requirement 5 will only be applicable to agencies where there is an ARC. Those agencies that are not required to, and do not, have an ARC (or alternative form such as an Audit Committee) are not required to comply with this requirement. New South Wales Treasury Page 1 Certifying the effectiveness of internal controls over financial information tpp 14-05 It is expected that the CFO Letter of Certification in 2015 (required to be submitted to NSW Treasury on or before 31 October 2015) and all subsequent years will reflect compliance with all Core Requirements. The CFO Letter of Certification is intended to cover the prior financial year. Core Requirement 1 reflects an existing requirement in the Public Finance and Audit Act 1983 (PFAA). While the legislative requirement does not apply to State Owned Corporations, the Guidelines for Boards of Government Businesses (TPP 09-02) notes that “Businesses should develop a sound system of risk oversight and management and internal control”. Core Requirement 2 formalises an existing requirement that has previously been implemented by an annual letter to agencies. Core Requirements 3 to 5 relate to the processes underpinning the Letter of Certification to: promote consistency of practice across the sector in assessing and providing assurance on the effectiveness of the system of internal control set minimum standards for agencies around NSW Treasury’s requirements relating to the Letter of Certification. Core Requirement 5 requires a copy of the CFO Letter of Certification to be provided to the Agency Head to be submitted to the ARC for review and for the ARC to provide independent advice to the Agency Head. For those agencies listed in Schedules 2 and 3 of the PFAA, the ARC role in providing assurance to the Agency Head regarding the processes undertaken to provide the Certification is consistent with the ARC’s responsibilities for oversight of an agency’s internal controls as outlined in the Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 09-05). For other agencies, the provision of advice by the ARC in relation to an agency’s system of internal control is not only consistent with better practice2 but is a responsibility already assumed by the ARC in the majority of agencies. Part 2 provides guidance intended to support agencies to implement the Core Requirements. The guidance is provided in the form of 10 better practices for an effective system of internal control over financial information: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. A strong financial management culture including tone at the top Clear definition of financial reporting roles and responsibilities Financial reporting planning Appropriate allocation of resources and competent staff for financial information and reporting functions Identification and monitoring of financial reporting compliance obligations Financial information risk management Internal control activities for financial information and reporting Effective financial information management including proper record-keeping Financial information performance monitoring and evaluation Continuous improvement Templates and examples of checklists to be used by the CFO and the ARC are provided as Annexures to this Policy and Guidelines Paper. With the exception of the CFO Letter of Certification (Annexure B), the templates and examples are intended to provide guidance and, if used, must be adapted to the needs and circumstances of the agency. 2 Refer, for example, to Audit Committees: A Guide to Good Practice, 2nd Edition 2012, a joint publication from the Auditing and Assurance Standards Board, Australian Institute of Company Directors and the Institute of Internal Auditors-Australia. New South Wales Treasury Page 2 Certifying the effectiveness of internal controls over financial information tpp 14-05 Acknowledgements In preparing this Policy and Guidelines Paper, NSW Treasury has drawn on publications and guidance materials developed by public and private sector organisations across Australia and internationally. Key elements of the Policy and Guidelines Paper reflect better practices extracted from guidelines developed in comparable public sector organisations. These have been modified and adapted for the NSW public sector context. NSW Treasury acknowledges the following organisations for documents and standards that, amongst others, have been consulted in the preparation of this Policy and Guidelines Paper: Australian National Audit Office (ANAO) for Preparation of Financial Statements by Public Sector Agencies Better Practice Guide, June 2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO) for Internal Control – Integrated Framework, 2013 NSW Department of Justice for the use of internal documentation informing the Management Certification Questionnaire Template (Annexure D) A number of stakeholders, including Chief Financial Officers, Chief Audit Executives, Audit and Risk Committee Chairs, and others including PricewaterhouseCoopers (Melbourne) have provided input into the development of this Policy and Guidelines Paper. These contributions are gratefully acknowledged. New South Wales Treasury Page 3 Certifying the effectiveness of internal controls over financial information tpp 14-05 Definitions The following lists relevant key terms and their definitions: Agency means an entity considered material for whole of government purposes and listed in Budget Paper 2 as a “material entity controlled by the NSW Government.” It includes departments, statutory bodies and other entities. Agency Head means: in relation to a department, the department head as identified in column 2 of Schedule 3 of the PFAA, or in relation to a statutory body listed in Schedule 2 of the PFAA, the chief executive officer or the person who exercises the functions of a chief executive officer in relation to the statutory body, or in relation to a State Owned Corporation, the chief executive officer, or in relation to any other entity, the chief executive officer or the person who exercises the functions of a chief executive officer in relation to that entity. Audit and Risk Committee (ARC) is a committee established to oversee an agency’s governance, risk management and internal control framework. Departments and statutory bodies are required to establish ARCs in accordance with the requirements of NSW Treasury’s Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 09-05). The term, as used in this Policy and Guidelines Paper, is intended to include the Audit Committees of State Owned Corporations. Audit Office means the Audit Office of New South Wales. Chief Financial Officer (CFO) is the most senior position in the agency with the primary responsibility and accountability for the financial management of an agency, including the preparation of external and internal financial reports and the delivery of other financial management support functions. CFO Letter of Certification is a certification made by the CFO to the Agency Head in a prescribed format as to the effectiveness of an agency’s system of internal control over financial information. Consolidated Financial Statements means the consolidated financial statements for the State prepared by the Treasurer under section 6(1) of the PFAA (commonly referred to as the Total State Sector Accounts). Department means a person, group of persons or body specified in Column 1 of Schedule 3 of the PFAA. Financial information refers to both historical and prospective information that presents the financial position and performance of the agency and used to assess the financial position and performance of the agency and/or to inform internal and external decision-making about resource allocation and use. Financial reporting refers to both internal (management) reporting and external reporting. New South Wales Treasury Page 4 Certifying the effectiveness of internal controls over financial information tpp 14-05 Financial statements are a structured representation of the financial position, financial performance and financial cash flows of an entity prepared in accordance with Australian Accounting Standards and NSW Treasury guidelines. Internal controls are systems, policies, procedures and processes that are designed to provide reasonable assurance regarding the achievement of objectives in the following categories effectiveness and efficiency of operations reliability of financial reporting, and compliance with laws and regulations 3. Internal Control Questionnaire is a questionnaire used to assess the effectiveness of the system of internal control supporting an agency’s financial information and financial reporting and to assist the CFO in completion of the CFO Letter of Certification. Materiality requires consideration of the significance and impact of the matter in question, as well as whether or not a reader of the financial information or financial statements will be misled. Australian Accounting Standard AASB 1084 - Accounting Policies, Changes in Accounting Estimates and Errors – notes that information is material if omissions or misstatements of that information could, “individually or collectively, influence the economic decisions that users make on the basis of the financial statements. Materiality depends on the size and nature of the omission or misstatement judged in the surrounding circumstances. The size or nature of the item, or a combination of both, could be the determining factor.” Outsourced service provider means a third party organisation that provides corporate and other finance functions (such as those involving the recording, processing and reporting of financial data on behalf of an agency) where the provision of those services has an impact on the agency’s system of internal control as it relates to financial reporting. An example would be ServiceFirst. Significance, for the purposes of this Policy and Guidelines Paper, must be determined based on an exercise of judgement that a deficiency or combination of deficiencies is of sufficient importance to merit the attention of the Agency Head. Statutory bodies means a person, group of persons or body specified in Schedule 2 of the PFAA. State Owned Corporations refers to an entity defined in section 3 of the State Owned Corporations Act 1989. Work papers represent documentation that support the CFO and related certifications and can include both paper and electronic records. 3 Committee of Sponsoring Organizations of the Treadway Commission (COSO) December 2011 Internal Control – Integrated Framework 4 Paragraph 5 New South Wales Treasury Page 5 Certifying the effectiveness of internal controls over financial information tpp 14-05 Part 1: Policy This Policy outlines the Core Requirements that must be adopted by agencies to ensure that an effective system of internal control over their financial and related operations is implemented, maintained and routinely reviewed. Consistent with the legislative requirement under section 11 of the Public Finance and Audit Act 1983 (PFAA) applicable to departments and statutory bodies, the Core Requirements require the Agency Head to ensure that there is an effective system of internal control over the financial and related operations of the agency. For State Owned Corporations, the requirement is consistent with the NSW Treasury policy Guidelines for Boards of Government Businesses (TPP 09-02) which notes that “Businesses should develop a sound system of risk oversight and management and internal control.” This Policy requires the Chief Financial Officer (CFO) to annually certify that the system of internal control has been operating effectively to support the true and fair presentation of the financial information. The certification covers the financial year (i.e. 1 July to 30 June for most agencies). The Australian Accounting Standards (based on International Financial Reporting Standards), stress the importance of presenting financial information that is relevant, reliable, comparable and understandable. NSW Treasury requires all financial information produced by agencies to be: Relevant: information must be timely and aligned to user needs Reliable: information must be complete and accurate, in all material respects Comparable: information must be consistently recorded and presented permitting comparisons over time and between agencies Understandable: information must be suitable for the needs and abilities of the users of that information This Policy applies to all agencies listed in Budget Paper 2 as material entities (other than State Owned Corporations)5. Core Requirements 1 to 5 aim to ensure clear accountability and assurance relating to the system of internal control over an agency’s financial information. The flowchart at Annexure F outlines the processes to be undertaken to meet the Core Requirements of the Policy. It is expected that the CFO Letter of Certification in 2015 (as submitted to NSW Treasury on or before 31 October 2015) and all subsequent years should reflect compliance with all Core Requirements of this Policy. On an ongoing basis, agencies newly identified as material agencies, in the NSW Government Budget Papers (Budget Paper 2), must comply with all of the Core Requirements6 by the end of the subsequent financial year. For example, if an agency is first listed as a material agency in the Budget Papers for 2016-17, that agency must comply with all of the Core Requirements for the 2016-17 financial year, including submitting a copy of the CFO Letter of Certification to NSW Treasury on or before 31 October 2017. 5 State Owned Corporations are strongly encouraged to comply with all of the Core Requirements and to benchmark their systems of internal control over financial information against the guidance in this Policy and Guidelines Paper 6 This does not provide an exemption to existing obligations to ensure that there is an effective system of internal control over financial and other related operations under section 11 of the PFAA. New South Wales Treasury Page 6 Certifying the effectiveness of internal controls over financial information tpp 14-05 Core Requirement 1 System of Internal Control over financial and related operations The Agency Head must ensure that there is an effective system of internal control over the financial and related operations of the agency. The Agency Head has a responsibility to ensure that there is an effective system of internal control over the financial and related operations of the agency, including: a) b) c) d) e) management policies and requirements prescribed by legislation and applicable to the agency sound practices for the efficient, effective and economical management of functions by each organisational branch or section within the agency a system of authorisation and recording and procedures adequate to provide accounting control in relation to assets, liabilities, revenue and expenses proper segregation of functional responsibilities, and procedures to review the adequacies of and compliance with the system of internal control. Core Requirement 2 Annual Letter of Certification The Agency Chief Financial Officer (CFO) must provide the Agency Head with an annual Letter of Certification as to the effectiveness of the system of internal control over the agency’s financial information. Once the Letter of Certification is accepted by the Agency Head, the CFO must ensure that a copy is provided to NSW Treasury on or before 31 October of each year. The system of internal control that underpins financial information forms a key component of an agency’s overall financial management system. Core Requirement 2 provides critical support and assurance to the Agency Head in meeting his/her responsibilities under Core Requirement 1 above7. The annual CFO Letter of Certification provides assurance to the Agency Head that the agency had an effective system of internal control in place to ensure that the agency’s financial information presents a true and fair view, in all material respects, of the financial position and financial performance of the agency. Where significant deficiencies in the system of internal control have been identified, these are required to be documented in the Letter of Certification (refer Annexure B), along with the likely impact and management’s agreed action plans to address the deficiencies. The CFO Letter of Certification must use the template at Annexure B. It must certify that: The CFO acknowledges responsibility for the design, implementation and operation of internal control systems over the agency’s financial information and Over the financial year, the agency had an effective system of internal control: the Certification confirms that the agency had an effective8 system of internal control to ensure that financial information presenting the financial position and performance of the agency is true and fair, in all material respects. 7 Recommendation 4.2 of the ASX Corporate Governance Principles seeks a comparable assurance to be made to the board by the chief executive officer and the chief financial officer. 8 In assessing effectiveness, the CFO should consider both whether the internal controls were appropriate and sufficient, as well as whether they were operating properly. New South Wales Treasury Page 7 Certifying the effectiveness of internal controls over financial information tpp 14-05 OR One or more significant deficiencies have been identified that are likely to have adversely affected the ability of the agency to record, process, summarise and report financial information: the Certification notes that, based on an annual evaluation of the system of internal control over financial information, one or more significant deficiencies have been identified that are likely to have adversely affected the agency’s ability to record, process, summarise and report financial information. Significant deficiencies must be detailed in the Certification. The Certification also notes that, other than the deficiencies identified, the integrity of financial information has been based on a sound system of risk management and internal control that has been operating effectively. Where an agency has identified significant deficiencies in the system of internal control over financial information, the CFO must assess the impact of these deficiencies and detail the plans and timescales for resolution of any unresolved significant issues in the CFO Letter of Certification. The Certification is intended to cover the financial year (i.e. for most agencies this will be 1 July – 30 June). At the time of submission of the CFO Letter of Certification to the Agency Head, a copy of the Letter of Certification must also be provided to the Audit and Risk Committee (ARC) (refer Core Requirement 5 of this Policy). After acceptance by the Agency Head9, a copy of the Letter of Certification must be submitted to NSW Treasury on or before 31 October. Electronic submission of signed and scanned CFO Letters of Certification will be accepted. CFO Certifications may be emailed to agencyinfo@treasury.nsw.gov.au. Failure to submit or subsequent material errors discovered Where an agency fails to submit the annual CFO Letter of Certification on time or submits a fully compliant certification but material errors are subsequently discovered in its financial reports by external audit or external review, the agency may be requested by the Expenditure Review Committee (ERC) or NSW Treasury to provide: a full report detailing the reason why the agency failed to submit the CFO Letter of Certification on time or the reason for material errors not being identified and addressed and a remedial action plan detailing accountabilities and timeframes and a follow up report on closure or completion of the matter. These reports to NSW Treasury must be signed by the CFO and approved by the Agency Head after receiving independent advice from the agency’s ARC. The agency’s ARC should monitor the implementation of remedial action plans. NSW Treasury may also request additional information or investigation if required. 9 The manner and form in which an Agency Head ‘accepts’ the CFO Certification is to be determined by the Agency Head. Evidence of the Agency Head’s acceptance is not required to be submitted to NSW Treasury but should be retained by the agency. New South Wales Treasury Page 8 Certifying the effectiveness of internal controls over financial information tpp 14-05 Core Requirement 3 Financial Information Internal Control Questionnaire The CFO Letter of Certification must be supported by an Internal Control Questionnaire (ICQ) designed to assess the overall adequacy of the existing system of internal control over financial information and completed by the CFO. One of the CFO’s primary responsibilities is to provide for a system of effective financial management and oversight throughout the financial year, culminating in the preparation of the annual financial statements. The CFO, therefore, is the appropriate person to ensure that the necessary internal controls have been implemented and are effective in ensuring that the agency’s financial information is relevant, reliable, comparable and understandable and that financial reports present a true and fair view in all material respects of the agency’s financial position and performance. CFOs should also consider how their financial information impacts at a whole-of-sector level and report issues to Treasury at the earliest opportunity. An ICQ that is designed for the specific circumstances of the agency, must be used by the CFO to systematically collect evidence on which to assess the overall adequacy of the existing system of internal control over financial information (including financial statements). The ICQ is a management tool. It provides a framework for the CFO to undertake a comprehensive review and assessment of the effectiveness of the agency’s internal controls and confidently communicate the results of that assessment to the Agency Head, ARC and NSW Treasury. Although not required to be submitted to NSW Treasury, the ICQ should form a key part of the evidence supporting the CFO’s Letter of Certification and the outcomes of the assessment made using the ICQ must be considered by the ARC as part of its review of the CFO Letter of Certification (refer to Core Requirement 5 below). The ICQ must be developed by the CFO to suit the particular circumstances of the agency. Once developed, the ICQ must be reviewed and updated each year. The ICQ must be approved by the Agency Head annually prior to implementation. The content and focus of the ICQ should be driven by a risk assessment (refer to Part 2.6 Financial Information Risk Management below). As a minimum, however, the ICQ must consider the following: financial management culture (including tone at the top) clarity of roles and responsibilities relating to financial reporting sufficiency and appropriateness of financial reporting planning sufficiency of resources and competency of staff responsible for financial reporting compliance with financial reporting obligations financial information risk management effectiveness of internal control activities effectiveness of financial information management including proper record keeping financial information and reporting performance monitoring and evaluation continuous improvement processes. Further guidance on these fundamental elements of an effective system of internal control can be found in Part 2 of this Policy and Guidelines Paper. New South Wales Treasury Page 9 Certifying the effectiveness of internal controls over financial information tpp 14-05 When designing the ICQ agencies must also consider the annual Financial Reporting Checklist10 and early close procedures issued by NSW Treasury. (Refer www.treasury.nsw.gov.au). Responses to ICQ items should be informed by a range of sources including both current and prior feedback relevant to the current certification period such as: the CFO’s own observations reports and certifications from subject-matter experts reports and certifications from management (refer to Core Requirement 4) reports and certifications from outsourced service providers (refer to Core Requirement 4) internal audit reports external audit findings such as those detailed in management letters, client service plans and reports, letters of early close observations and reports to Parliament reports from independent external consultants. Any significant issues identified in the process of completing the ICQ must be considered and assessed to determine the impact on financial information. Whilst it is envisaged that the ICQ based assessment will be concluded prior to signing off the CFO Letter of Certification, the evidence required to complete the ICQ will need to be planned by the CFO, accumulated and documented throughout the financial year. This will enable early identification of any potential departures to allow remedial actions to be implemented prior to early close and final sign off. An example of an ICQ is provided at Annexure C. Agencies must modify the template to suit their own circumstances. 10 The Financial Reporting Checklist can be found on the NSW Treasury website at http://www.treasury.nsw.gov.au/__data/assets/pdf_file/0017/21563/Year_End_Reporting_Checklist.pdf New South Wales Treasury Page 10 Certifying the effectiveness of internal controls over financial information tpp 14-05 Core Requirement 4 Management and Third Party Certifications The CFO, when preparing the CFO Letter of Certification, must request and consider certifications provided by management and outsourced service providers. Obtaining certifications from management Certifications from management11, that will assist the CFO in assessing the effectiveness of internal controls within different parts of the agency, must be obtained to support the completion of the ICQ and annual CFO Letter of Certification. The specific content and form of the certifications from management must be: agreed as part of the planning process for compliance with this Policy approved by the Agency Head communicated at an early date to all affected managers. An example of a management certification questionnaire can be found at Annexure D. The requirement to seek certifications is important because it engages line managers in the financial management of the agency and improves financial accountability. Managers who have input in setting budgets and clear accountability for managing financial resources, including the identification of relevant risks and cost drivers, are more likely to take ownership for the resources under their control12. Budget ownership and devolution of financial responsibility is a core component of good financial control within an organisation. The CFO must decide on the appropriate level at which to seek management certification based on the agency’s financial accountability framework and an appropriate risk assessment. This should take account of the volatility and historical financial performance of the business area as well as its overall size. Obtaining certifications on the effectiveness of controls of outsourced functions Many agencies engage outside service providers to perform functions that are integral to the agency’s financial operations and information. It is important for agencies to be assured that controls implemented by service providers are properly designed and operate effectively, and complement the agency’s system of internal control in relation to financial information and reporting. Agencies must require all outsourced service providers undertaking finance functions (such as those involving the recording, processing and reporting of financial data on their behalf) that will impact their financial information and reporting, to provide a letter of certification each year. The certification letter must provide assurance that meets the satisfaction of the client agency as to the design and effectiveness of the internal controls in the service organisation as they relate to, and impact on, the agency’s financial information and reporting. 11 For the purposes of this Core Requirement, management refers to line and other managers i.e. budget holders and business area managers. 12 Refer to Australian National Audit Office, June 2008, Developing and Managing Internal Budgets, Better Practice Guide, Commonwealth of Australia. New South Wales Treasury Page 11 Certifying the effectiveness of internal controls over financial information tpp 14-05 The contents of such a letter must include: A description of the financial functions provided to the client agency A description of the system (policies and procedures) designed and implemented by the service provider to provide the agreed financial functions 13 for the client agency covering, among other things: o the procedures, both within information technology and manual systems, by which the functions are provided o related records and supporting information o how the service provider deals with significant events (other than transactions) o the processes to prepare reports and other information o the control objectives and controls designed to achieve these objectives and the risks that threaten the achievement of the control objectives o other relevant aspects of the service provider’s control environment 14. A certification by the service provider that in all material respects: o the service provider has an effective system of internal control to ensure that the financial information provided to the client agency is relevant, reliable, comparable and understandable o The system description fairly presents the service provider’s system as designed and implemented throughout the specified period o The controls related to the control objectives stated in the system description were suitably designed throughout the specified period o The controls related to the control objectives stated in the system description operated effectively throughout the specified period. Details of any assurance activities conducted during the period in relation to internal controls (for example by the service provider’s internal audit function or other quality functions performed by the service provider as part of its internal assurance framework) to support the certification Actions to address recommendations and findings arising from assurance activities. Client agencies must agree the broad content and timing of the service provider’s letter(s) of certification. (In some instances a client agency may choose to require such a letter of certification more than once in a financial year). In particular, it is the client agency’s responsibility to be satisfied with the adequacy of the system description, control objectives and related controls. In some instances, depending upon the nature and extent of the services provided by a service provider, client agencies may consider it appropriate to seek or request additional assurance in the form of an independent opinion on the design and operating effectiveness of controls in the service organisation as it relates to the agency’s financial information and reporting. Such an assurance engagement should be undertaken by the assurance practitioner in compliance with the relevant audit standards issued by the Audit and Assurance Standards Board (AASB) which are: ASAE 3000 Assurance Engagements Other than Audits or Reviews of Historical Financial Information ASAE 3402 Assurance Reports on Controls at a Service Organisation. 13 It is better practice for services provided under an outsourced arrangement to be detailed in a contract, service level agreement or equivalent together with performance standards. 14 ASAE 3402 Assurance Reports on Controls at a Service Organisation, Auditing and Assurance Standards Board, (Appendix 1A) provides an example of a service provider’s system description. New South Wales Treasury Page 12 Certifying the effectiveness of internal controls over financial information tpp 14-05 Core Requirement 515 To submit a copy of the Letter of Certification for Audit and Risk Committee Review The CFO must submit a copy of the Letter of Certification and supporting documentation to the ARC for review at the same time that the Letter of Certification is submitted to the Agency Head. The ARC must review the Letter of Certification and provide advice to the Agency Head and, where applicable, to the governing board. For those entities listed in Schedules 2 and 3 of the PFAA, the ARC has responsibilities that include specific responsibilities for review of the agency’s control framework, as outlined in the Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 09-05). In addition, the ARC is required to “satisfy itself that the financial statements are supported by appropriate management16 signoff on the statements and on the adequacy of the systems of internal controls.” For other agencies, including State Owned Corporations, this ARC role is consistent with better practice17 and reflects current practice for the majority of agencies. Core Requirement 5 acknowledges this responsibility and requires that the ARC receives a copy of the CFO Letter of Certification. The ARC must review the CFO Letter of Certification and associated questionnaires and checklists and make any inquiries of the CFO and other staff to satisfy itself that the processes undertaken by the CFO appear complete and reasonable. The ARC must also consider whether the conclusions reached by the CFO in the Letter of Certification are supported by appropriate evidence, and appear to appropriately reflect the outcomes of the supporting processes. The ARC must provide advice on the outcome of its review to the Agency Head and, where applicable, to the governing board. Annexure E provides examples of questions that the ARC could ask of the CFO or other staff within the agency in order to satisfy itself that the processes supporting the Certification have been properly undertaken. 15 Applicable to all agencies where there is an ARC (or equivalent). Those agencies that are not required to have an ARC, and do not have an ARC, are not required to comply with this requirement. 16 In this context management refers to the CFO. 17 Refer, for example, to Audit Committees: A Guide to Good Practice, 2nd Edition 2012, a joint publication from the Auditing and Assurance Standards Board, Australian Institute of Company Directors and the Institute of Internal Auditors-Australia. New South Wales Treasury Page 13 Certifying the effectiveness of internal controls over financial information tpp 14-05 Part 2: Guidance on the fundamentals of an effective system of internal control over financial information A system of internal control consists of a range of policies, processes, structures, systems and activities that are designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) b) c) effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations 18. Part 2 provides guidance on the fundamentals of an effective system of internal control specific to providing reasonable assurance regarding the integrity of an agency’s financial information including financial reporting. While there may be similarities, no two agencies will have the same system of internal control. Each agency must develop its system of internal control to suit its own particular operational environment and strategic objectives. It is also important to recognise that a system of internal control is not a static structure. Rather, it is an integrated and dynamic framework of component parts including, in the case of financial information and reporting: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. A strong financial management culture including tone at the top Clear definition of financial reporting roles and responsibilities Financial reporting planning Appropriate allocation of resources and competent staff for financial information and reporting functions Identification and monitoring of financial reporting compliance obligations Financial information risk management Internal control activities for financial information and reporting Effective financial information management including proper record keeping Financial information and reporting performance monitoring and evaluation Continuous improvement. Each of these fundamental elements is discussed in more detail below. A critical success factor in any effective system of internal control is the active and proper exercise of judgement. As observed by COSO (2013)19, judgement is an essential element in the selection, development and deployment of controls, and the monitoring and assessment of the effectiveness of the system of internal control. It is not only the CFO that is exercising this judgement. Judgement should be exercised by senior management and staff across the agency with functions affecting the agency’s financial information and financial reporting. 18 Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Internal Control – Integrated Framework. 19 ibid. New South Wales Treasury Page 14 Certifying the effectiveness of internal controls over financial information tpp 14-05 2.1 A strong financial management culture including tone at the top Quality financial information is not only essential to reporting and full accountability, it is also a key input into organisational decision-making. In the absence of this quality financial information, an agency is unable to make well-informed decisions about all facets of its operations. There should be a clear and consistent commitment from senior management to ensuring that the agency has good financial information. Agency Heads and CFOs must provide the necessary leadership to ensure that all staff have sufficient direction and support to ensure the preparation of sound financial information and to contribute to the delivery of quality financial reporting. This requires regular and consistent communication to all managers and relevant staff in the agency about the importance of producing financial information that is relevant, reliable, comparable and understandable. In addition to management commitment, a strong financial management culture can also be supported by: increasing staff awareness of the link between achieving the agency’s strategic objectives and sound financial management developing and documenting clear policies and relevant procedures that are up-todate and accessible to all staff and relevant stakeholders creating an environment where the early reporting of potential or known errors and overspends is mandatory acting promptly to correct or address errors or misstatements encouraging staff to make suggestions to improve systems and processes minimising silos and encouraging cross-agency teams or working groups to identify and discuss developments that have the potential to impact the agency’s financial statements, and other financial reporting mechanisms ensuring that financial management issues are regularly included on the agenda of executive and senior management meetings and staff forums regularly reviewing the agency’s delegations to ensure that they are effective, appropriate, and operating as intended. 2.2 Clear definition of financial reporting roles and responsibilities The roles and responsibilities of key staff involved in financial reporting should be documented by the agency. At a minimum, roles and responsibilities with regard to financial information should be clarified for the following positions: 20 The Agency Head is, among other things, responsible for: - establishing and maintaining an effective system of internal control to support financial reporting that presents a true and fair representation of the financial position and financial performance of the agency - ensuring that financial reporting policies and procedures are available for use by agency managers and staff - certifying the accuracy of financial projections - certifying the annual financial statements - attesting to compliance with the Core Requirements of the Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 09-05)20 For those entities listed in Schedules 2 and 3 of the Public Finance and Audit Act 1983 New South Wales Treasury Page 15 Certifying the effectiveness of internal controls over financial information tpp 14-05 - - approving the design and coverage of the ICQ and Management Certification Questionnaire prepared for assessing the system of internal control for financial information accepting the CFO Letter of Certification ensuring that internal control deficiencies are effectively resolved ensuring that the CFO is at a sufficiently senior level within the agency to influence decision-making by senior management ensuring responsibility for oversight and management of outsourced service providers has been appropriately assigned. The CFO is, among other things, responsible for: certifying the effectiveness of the agency’s system of internal control underpinning the provision of high quality financial information providing the executive with relevant, reliable, comparable and understandable financial information to assist with decision making about the allocation of agency resources managing the preparation of external financial reports within mandated timeframes, the form and content of which are prepared to comply with Australian Accounting Standards and NSW Treasury policies and guidelines. The audited financial statements included in an agency's annual report would be the most common example of this type of report. Another example is all financial data supplied to NSW Treasury using the NSW Treasury Online Entry System (TOES) preparing financial reports for use by the agency’s management, the form and content of which are to be consistent with Australian Accounting Standards financial management functions including the preparation of accurate and timely management accounting reports, providing leadership in developing financial reporting policies and procedures and maintaining the chart of accounts and financial reporting information systems preparing and monitoring compliance with the agency’s budget. This includes involving relevant staff in budget development, monitoring and reporting on variances establishing agreed lines of communication with NSW Treasury to ensure that any issues arising in the context of financial reporting are identified and resolved in a timely manner reporting in a timely manner to the Agency Head, any issues that may have implications for financial reporting to NSW Treasury ensuring the timely provision of monthly and year-end financial information in the required format to NSW Treasury to enable the preparation of the Consolidated Financial Statements developing and deploying the ICQ and Management Certification Questionnaire ensuring maintenance of appropriate and secure systems and technology (and its documentation) to deliver financial reports. The Audit and Risk Committee, among other things: - has responsibilities as outlined in the Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 09-05) including specific responsibilities for oversight of the agency’s internal control framework and external accountability21 - is responsible for reviewing the CFO Letter of Certification and associated questionnaires and checklists and making appropriate inquiries in order to satisfy itself that the processes supporting the Certification undertaken by the CFO appear complete and reasonable (Core Requirement 5 of the Policy) 21 In the case of SOCs, the audit committee will have responsibilities as outlined in the respective Committee charters. New South Wales Treasury Page 16 Certifying the effectiveness of internal controls over financial information tpp 14-05 - is responsible for monitoring the implementation of any remedial action plans resulting from a failure to submit a Letter of Certification on time or from the subsequent discovery by external audit or review of material errors in the financial reports. Internal Audit, among other things: - has responsibilities including the provision of assurance services to the organisation on the operational effectiveness of its risk management, internal control and governance processes. For entities listed in Schedules 2 and 3 of the Public Finance and Audit Act 1983 these responsibilities are outlined in the Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 0905 ) - could be asked to conduct follow-up reviews to ensure that the necessary improvements to controls over financial information have been actioned in a timely manner. Managers and their staff (as relevant) are, among other things, responsible for - complying with the agency’s financial reporting policies and procedures, including appropriate sign-off requirements - ensuring that financial information is reported accurately and in a timely manner, and that internal controls over financial information are effectively implemented as intended - processing and entering transactions accurately into financial information systems consistently and in a timely manner - providing financial and non-financial information in the format and timeframes required by the CFO. This would include analysis of key variances and significant transactions - maintaining supporting documentation relevant to their areas of control, in order to substantiate all financial amounts - ensuring that all relevant documentation is readily available for audit and review as necessary - working with the accounting officers to ensure the accuracy of financial information, for example checking the accuracy of activity data to highlight errors, and complying with local accounting procedures. 2.3 Financial reporting planning CFOs should have in place plans to guide the preparation and review of financial reports. These plans should be developed in consultation with key stakeholders. In the case of the annual financial statements, this should include consultation with the ARC and external auditors and endorsement by the Agency Head. The plans should document the actions and commitments required to achieve the effective preparation and review of financial reports. Key elements of such strategies or plans should include: a description and/or flowcharts of existing processes for the preparation of financial reports highlighting critical milestone dates a list and description of all key roles and responsibilities for financial reporting an outline of quality control standards and processes including monitoring of processes for progression, completion and review of financial reports within the required timeframes an outline of processes to identify opportunities to improve the quality and timeliness of financial reports a financial reporting calendar with key deadlines for the submission and approval of financial reports. New South Wales Treasury Page 17 Certifying the effectiveness of internal controls over financial information tpp 14-05 When developing these plans, agencies should also take into consideration the need to make arrangements for early close procedures. Early close procedures refer to preparing certain aspects of financial statements at an early date. Nominated agencies are required to perform early close procedures. Agencies should refer to NSW Treasury guidance concerning early close procedures 22 for further guidance. The Australian National Audit Office (ANAO) 23 has provided a detailed guide to effective planning for the preparation of financial statements that describes the process and notes key planning considerations. A copy of the ANAO’s Better Practice Checklist: Planning the preparation of financial statements has been reproduced with permission in Annexure G. 2.4 Appropriate allocation of resources and competent staff for financial information and reporting functions The Agency Head should ensure that there are adequate financial and human resources provided and deployed to support the integrity of the agency’s financial information and financial reporting. Adequate resources will, among other things, ensure that: the CFO is able to provide effective financial management support and assistance to budget holders a sound system of risk management is built into the agency’s financial operations a financial reporting compliance framework is developed and maintained staff have sufficient time and knowledge to properly perform their responsibilities, including those relating to financial processes, financial systems and record-keeping there is an effective system of financial delegations and adequate segregation of duties. The professional skills of senior finance staff are important. The NSW Department of Premier and Cabinet Circular C1999-6924 Qualifications for Senior Financial Management and Accounting Positions outlines qualifications required of people recruited or promoted to financial management positions in agencies. The NSW Public Sector Performance Development Framework25 published by the Public Service Commission also provides mandatory performance objectives for executives managing budgets including the Chief Financial Officer and Executive-level budget holding operational managers. 26 It is also important that all relevant staff within an agency understand their roles and responsibilities relating to the preparation and presentation of financial information and have sufficient guidance and training to undertake those roles and responsibilities. To ensure that staff and resources are managed effectively, agencies should also ensure that: clear lines of responsibility and accountability in relation to financial report preparation are identified and well understood 22 Information about the early close requirements can be found in Accounting Policy Frequently Asked Questions on the NSW Treasury Website at http://www.treasury.nsw.gov.au/Accounting_Policy/ap_faq 23 Australian National Audit Office (ANAO) June 2013 Preparation of Financial Statements by Public Sector Entities, Better Practice Guide 24 Department of Premier and Cabinet, http://www.dpc.nsw.gov.au/announcements/circulars/1999/c1999-69 25 http://www.psc.nsw.gov.au/Sector-Support/Managing-for-Performance/Performance-DevelopmentFramework/Financial-Management 26 A Finance Professionals Occupational Capability Set is currently being developed by the Public Service Commission. New South Wales Treasury Page 18 Certifying the effectiveness of internal controls over financial information tpp 14-05 2.5 the finance function and relevant business areas are sufficiently resourced and skilled to meet their respective financial reporting responsibilities the mix of resources utilised is effective in managing peak financial reporting workloads there are practical strategies for succession planning and longer term financial workforce needs business continuity plans are in place. Identification and monitoring of financial reporting compliance obligations It is important that agencies are aware, and have a good understanding, of the compliance obligations relating to both the preparation and presentation of financial information. Agencies should develop, implement and maintain formal arrangements designed to ensure that staff and service providers understand legislative and policy requirements. In preparing financial reports, agencies must comply with the accounting standards issued by the Australian Accounting Standards Board (AASB) as well as public sector reporting requirements including relevant legislation, policies and circulars. Accounting Standards The AASB sets the financial reporting standards for all reporting entities in Australia. The objective of financial reporting is to ‘provide information about the financial position, financial performance and cash flows of an entity that is useful to a wide range of users in making economic decisions.’27 In order for the financial information to be useful, the AASB states that it should be “relevant, reliable, comparable and understandable.” 28 Financial statements are also the primary means by which the management or the governing body of a reporting entity discharges its accountability to the users of the reported financial information. Public Sector Financial Reporting Requirements In addition to the Australian Accounting Standards, agencies must also comply with the financial reporting requirements within the following instruments, as applicable, when preparing financial information: Public Finance and Audit Act 198329 Annual Reports (Departments) Act 1985 Annual Reports (Statutory Bodies) Act 1984 Financial Reporting Code for NSW General Government Sector Agencies issued by NSW Treasury Annual Appropriation Acts State Owned Corporations Act 1989 Enabling legislation (for certain statutory bodies) Other mandatory NSW Treasury accounting policies, circulars and directions as required for financial and year end reporting30 27 AASB 101 Presentation of Financial Statements, paragraph 9 28 AASB 101 Presentation of Financial Statements, paragraph 17(b) 29 References to Acts should be read to include associated and relevant regulations New South Wales Treasury Page 19 Certifying the effectiveness of internal controls over financial information tpp 14-05 In accordance with Australian Accounting Standards and the PFAA, financial statements must respectively present fairly/present a true and fair view of the financial position, financial performance and cash flows of the agency. Reporting a true and fair view requires the faithful representation of the effects of transactions, other events and conditions in accordance with the definition and recognition criteria for assets, liabilities, revenue and expenses. The correct application of Australian Accounting Standards, legislation and other NSW Treasury codes, policies and circulars, should result in financial statements that present a true and fair view. Identifying and monitoring financial reporting compliance obligations An obligations register, list or database can be useful to understand and monitor an agency’s key compliance obligations. The information in the register should include the nature of the obligation, the owner within the agency and any associated agency policies, plans or systems. An example template for an obligations register is provided at Annexure H. Keeping the register up-to-date requires the implementation of processes that will ensure the agency receives timely advice of changes to laws, regulations, standards, codes, policies and other sources of compliance obligations. Entities, such as the Audit Office31 and the Parliamentary Counsel’s Office32, provide regular updates that can assist with this. Ongoing liaison with NSW Government strategic centres, including NSW Treasury analysts, can also support the maintenance of up-to-date information about an agency’s financial reporting compliance obligations. All current NSW Treasury Circulars and Policies are available on the NSW Treasury website (http://www.treasury.nsw.gov.au). The obligations register can also support an agency’s risk management processes by providing a basis for identifying and assessing compliance risks and allocating resources for their treatment accordingly. While the CFO might not be allocated responsibility for maintenance of the agency’s obligations register as a whole, they are expected to ensure that the financial management and related obligations of the agency are monitored and that the register is updated accordingly. 2.6 Financial information risk management Assessing Financial Information Risks To comply with NSW Treasury’s Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 09-05) the Agency Head is required to ensure that an enterprise risk management process has been established that is appropriate to the needs of the agency and consistent with AS/NZS ISO 31000 Risk management – Principles and guidelines. The application of this risk management process should include the management of risks to the integrity of the agency’s financial information reported internally and externally. 30 A list of NSW Treasury accounting policies issued as NSW Treasury Circulars and NSW Treasury Policy Papers currently in force (at date of publication) have been published in Appendix 3 of the Financial Reporting Code for NSW General Government Sector Agencies. 31 The Audit Office regularly publishes a Professional Update. Further information about this publication can be found at http://www.audit.nsw.gov.au/Publications/ProfessionalUpdate 32 A weekly notification is made available through the NSW Legislation website http://www.legislation.nsw.gov.au/maintop/epub New South Wales Treasury Page 20 Certifying the effectiveness of internal controls over financial information tpp 14-05 Risk is defined as the impact of uncertainty on objectives. In the context of financial reporting, an agency’s objectives will include the timely preparation of reliable external and internal financial reports and prevention of inaccurate, misleading or fraudulent financial reporting. Risk assessment is a structured approach to identifying and analysing the uncertainties that exist in meeting an agency’s objective of reporting high quality and timely financial information. While the Agency Head is ultimately responsible for risk management across the agency, the CFO has a key responsibility to assess and manage the risks relating to the agency’s financial management and financial information. Risk assessment consists of identifying risks, analysing and then evaluating these risks. This enables the CFO to prioritise the risks and determine which require further treatment and, then, identify the appropriate treatments. A process flowchart outlining the steps involved in the risk management process can be found at Annexure I. Risks can pertain to internal and external factors. Internally, the absence or ineffective operation of each of the better practices described in this Policy and Guidelines Paper has the potential to adversely affect the integrity of an agency’s financial information. The ANAO33 has listed examples of events that can impact on the preparation of financial statements: Unavailability of skilled resources: a lack of appropriately trained staff will hinder an agency’s ability to properly perform its financial management and reporting responsibilities. Unsuitable management information systems: an inefficient and/or ineffective management information system may result in a high degree of manual processing with a greater risk of error. Incorrect recording of transactions: errors in recordkeeping are likely to result in misclassification of financial statement items and posting of amounts to incorrect reporting periods. Unrecorded transactions: the non-recording of transactions will result in incomplete records and financial reporting. Non-compliance with legislation: various pieces of legislation impact on an agency’s administration, recordkeeping and financial reporting. Incorrect interpretations of complex legislation may result in the inappropriate recognition of transactions or incompleteness of transactions. Restructures: restructures resulting from internal or external events may be accompanied by staff changes and changes in supervision and the segregation of duties. The transfer of assets and liabilities may also result from machinery of government changes. These changes can have a significant impact on the financial statement preparation process. Fraudulent activity: the availability, and extensive use, of information and communication technologies has provided increased opportunities for fraud. Fraud includes intentional misstatements, including omissions of amounts or disclosures, to deceive users of financial information. Untimely reporting of information: delays in financial reporting may mean that the information is out-of-date and of little value to users. Other important considerations include interfaces with outsourced service providers and any changes in the external environment, business model, operations, and technology. 33 Australian National Audit Office (ANAO) June 2013 Preparation of Financial Statements by Public Sector Entities, Better Practice Guide New South Wales Treasury Page 21 Certifying the effectiveness of internal controls over financial information tpp 14-05 After risks have been identified, the next step is to analyse and evaluate the risk and develop cost effective treatment to bring the it to a level at which the agency is prepared to accept or tolerate the risk34. Throughout this process it is important to communicate and consult with key stakeholders both within the agency as well as external stakeholders such as third party service providers. It is also important to continuously monitor and review the whole process to ensure that treatments remain effective and relevant. Change is constant. Managing change requires a constant assessment of risk and the effectiveness of existing treatments on an ongoing basis. Financial Statement Risk Analysis In addition to managing risks to the overall operation of an agency’s financial management framework and system of internal control, agencies may find it beneficial to conduct a risk analysis for each financial statement item and its accompanying notes. The ANAO35 notes that such an analysis may assist agencies to prioritise the resources allocated to the preparation of the financial statements, including the extent of the quality assurance required. This will also assist the agency to determine whether there is scope to improve related controls. 2.7 Internal control activities for financial information and reporting Internal control activities, as related to financial information and financial reporting, are the specific measures implemented to mitigate risks to the quality (including relevance, reliability, comparability and understandability) of financial information. Internal control activities will include the agency’s policies, procedures, processes and systems that implement legislative and policy requirements, together with the directions of management. They will also comprise measures that have been identified and implemented to address specific risks identified in the financial reporting risk assessment process. Internal control activities can be preventative or detective. Preventative activities operate to prevent errors and irregularities while detective activities are designed to discover errors and irregularities. Agencies should ensure that there is an appropriate balance between these forms of activities. In addition, agencies need to be ready to identify and implement corrective actions in a timely manner in response to errors and irregularities identified as an outcome of detective activities. 34 NSW Treasury’s Risk Management Tool Kit for NSW Public Sector Agencies provides detailed guidance on the risk management process 35 Australian National Audit Office (ANAO) June 2013 Preparation of Financial Statements by Public Sector Entities, Better Practice Guide. Refer to Toolkit - Item 6 for a template. New South Wales Treasury Page 22 Certifying the effectiveness of internal controls over financial information tpp 14-05 In financial reporting, examples of key internal control activities will include 36: Policies and procedures should provide clear and up-to-date accounting and procedural guidance with unambiguous instructions for key processes that underpin the collection, collation and reporting of financial information. The accounting procedures should also clearly identify roles and responsibilities against key processes and the associated accountabilities. Authorisation and approval procedures (including delegations) should be clearly defined and widely understood. Transactions should be authorised by people acting within the range of their authority. Segregation of duties ensures that no single person has control over a transaction from beginning to end. Ideally, no single person should be able to authorise, pay, record and reconcile a transaction. Effective segregation of duties provides an important mechanism to better detect and prevent intentional and unintentional error. In some instances, resource constraints might impede full segregation of duties. These instances should be clearly documented and alternative control activities – such as periodic review processes – implemented. Performance appraisal and the provision of training should be a priority to ensure that staff have the knowledge and skills to effectively deliver on their responsibilities. Staff should be held accountable for their roles and responsibilities but this should be in an environment that supports strong performance with good information, training and coaching. Existing and new processes, procedures and technology should be supported through the availability of accessible information and guidance. Deficiencies in knowledge and skills should be promptly addressed through training, coaching and supervision. Sound systems design and construction will ensure that technical systems properly support the agency’s internal control framework and financial reporting objectives. Key stakeholders37 should be consulted during systems design or redesign including preparation of specifications, computer systems design, testing and documentation to ensure that control objectives are satisfied. The design, and any changes to systems and programs, should be clearly authorised with acceptance of test results with final approval of changes approved in writing by the project sponsor. System-enabled control activities can provide a means of automating procedures and processes. For example, access controls such as access restrictions and password protections provide a means of implementing authorisation and approval procedures and segregation of duties. Audit trails provide a means of reviewing and evaluating the effectiveness of access controls as well as providing a means of investigating suspected irregularities. Other system-enabled control activities can include input controls where input data is automatically reconciled to source documentation and version controls to identify the latest approved versions of files. 36 The list and description of example controls is not intended to be exhaustive. Control activities should reflect rigorous risk management processes. Identification of risk treatments should lead to the implementation of new and tailored controls appropriate to the specific contemporary needs of the agency. In some cases, risk management processes will identify control activities that are unnecessary and that can be removed. Agencies should also refer to NSW Treasury policies, circulars and other guidance for specific requirements as they relate to internal controls. 37 Stakeholders may include functional users, internal and external auditors, and agency finance staff. New South Wales Treasury Page 23 Certifying the effectiveness of internal controls over financial information tpp 14-05 Reconciliation processes should be completed in a timely manner to ensure the accuracy of financial information. Where appropriate, the reconciliations procedures should include: responsibility for reconciliation completion and review frequency of reconciliation completion prioritisation of key reconciliations format of the reconciliations completion deadlines requirements for reconciling items to be followed up and cleared in a timely manner requirements to review spreadsheet validity requirements for appropriate supporting documentation to be attached requirements for evidencing preparation and review processes. There should be a segregation of duties between responsibilities for the preparation and review of reconciliations. Automation of reconciliation processes, where possible, can ensure timeliness, support consistent format, and reduce resource requirements associated with reconciliation processes. Automated processes, however, should have clear control objectives and provide an audit trail that can be readily monitored and reviewed. Variance analysis should be routinely undertaken to identify and explain differences between budgeted amounts and actual amounts. Not only can variance analysis be useful in identifying irregularities or particular issues for correction or redress, but it can also provide early information about a performance trend in the agency. Performance and quality reviews of operations, processes and activities represent important detective control activities. Reviews can be undertaken in a range of diverse formats including formal reviews (special and periodic), informal reviews and evaluations, and ongoing review processes such as supervision. Appropriate thresholds for the adjustment of errors provide a useful, commonly agreed, reference point to guide decisions about the approach to be adopted in respect of correction of errors and misstatements. Appropriate thresholds for adjustment of errors or misstatements in financial reporting help to ensure the proportionate and efficient use of resources. It is important that such thresholds are agreed with the auditors and documented. Disaster recovery plans protect financial information and financial reporting by planning for the detection and containment of disasters and recovery from disasters. Disaster recovery plans should be tested regularly and reviewed at least bi-annually using rigorous risk assessment processes to ensure that they are current and accurate. Fraud and corruption is an important focus for internal control. Agencies should develop and implement internal control activities, including specific policies and procedures, to prevent, detect and correct fraudulent financial reporting, such as the falsification of accounting records and the intentional omission of transactions and misapplication of accounting principles. Controls should also be in place to prevent, detect and correct misappropriation of resources or assets. The NSW Audit Office Fraud Control Improvement Kit: Meeting your Fraud Control Obligations 38 provides agencies with better practice guidance to enhance fraud controls. The Independent Commission Against Corruption has extensive guidance on preventing corruption, see http://www.icac.nsw.gov.au/publications-and-resources/corruption-prevention. 38 http://www.audit.nsw.gov.au/Publications/Better-Practice-Guides New South Wales Treasury Page 24 Certifying the effectiveness of internal controls over financial information tpp 14-05 2.8 Effective financial information management including proper record-keeping The quality of financial information and financial reporting will reflect the nature and effectiveness of an agency’s overall information management systems and its ability to manage both electronic and physical information throughout the information lifecycle. Agencies have specific obligations relating to information management including recordkeeping, such as those under the State Records Act 198839. In addition, effective information management will also: ensure that senior management, staff and other key stakeholders have the information that they need to make good decisions support the agency and its staff to be accountable support agency efficiency and productivity through facilitating retrieval and delivery of information to others preserve the corporate memory of the agency. Effective financial information management will include the following attributes: 2.9 the comprehensive and accurate collection of relevant internal and external data proper collation and record-keeping of financial data and information a capacity to collate data and process relevant data into financial information security of financial information and related records generation and delivery of reports to meet the requirements of users timely and straightforward access to financial data and financial information. Financial information and reporting performance monitoring and evaluation An agency’s financial reporting and financial information should be regularly monitored and evaluated to ensure that it presents a true and fair view of the agency’s financial position and performance. Agencies should develop and implement processes for ensuring that feedback on financial information is properly reviewed and acted upon. Feedback sources will include: agency Executive/Board staff and management the internal auditor the external auditor the ARC NSW Treasury analysts agency working groups and steering committees reports from program and project reviews. Feedback about the integrity of financial reporting and financial information may include instances of error and misstatement, unexpected variations, inclusion of irrelevant financial information or a lack of explanatory notes or disclosures. Every instance of feedback about the agency’s financial reporting and financial information generally should be assessed to determine the cause and response required. This will not only provide good information about the presentation of financial information but may also provide insights about the systems and processes behind that information. 39 Details of requirements and responsibilities relating to record-keeping in the NSW public sector are available from the State Record Authority - http://www.records.nsw.gov.au/recordkeeping/recordkeeping New South Wales Treasury Page 25 Certifying the effectiveness of internal controls over financial information tpp 14-05 Feedback should be sought not only as to the presentation of the financial information but also about the internal controls underpinning the information. This may include feedback relating to: 2.10 effectiveness of training and availability of guidance on financial processes whether the financial management culture is supportive of good financial reporting outcomes adequacy of controls at critical points efficacy of the allocation of responsibilities, including whether the delegations are appropriate and effective. Continuous Improvement The agency’s system of internal control should be comprehensively reviewed on a regular basis to ensure that controls are: adequate, proportionate and operating as intended adjusted as necessary in response to changes in the internal or external environment supporting the agency to meet its financial reporting compliance and quality objectives. Monitoring and review can either be carried out formally or informally with mechanisms that may include: Management reviews: e.g. the use of self-assessments and other types of management reviews Independent reviews: e.g. by internal or external audit Continuous informal reviews: e.g. discussing the progress and effectiveness of the financial reporting system of internal control in workgroups or meetings within the finance function. If there are any significant organisational changes, such as changes in key processes, systems or staffing, consideration should be made to conducting an earlier or additional comprehensive review to assess the impact of those changes on the system of internal control. Without undertaking such a review, the impact on the effectiveness of the system of internal control of those changes may be underestimated or discovered too late. It is important that the results of any reviews are documented and communicated to senior management including any recommendations to enhance the system of internal control. Role of Internal Audit Internal audit clearly has a role to play in providing independent, objective assurance and recommendations for continuous improvement in relation to an agency's system of internal control. Internal audit's annual work plan comprises a mixture of pro-active and reactive audits, developed on the basis of both a risk assessment and input from key stakeholders. These stakeholders will include, but not be limited to, the CFO because internal audit is charged with reviewing internal controls employed within an agency, both financial and nonfinancial. It is unacceptable to assume that internal audit alone can provide full assurance around all controls over financial information. CFOs should instead look to internal audit as just one source of feedback and assurance. New South Wales Treasury Page 26 Certifying the effectiveness of internal controls over financial information tpp 14-05 Annexure A: Overview of annual certifications and attestations The Agency Head is responsible for ensuring that the agency has an effective system of internal control over the financial and related operations of the agency. The CFO Letter of Certification provides the Agency Head with an important source of assurance in relation to this responsibility. Further, as a separate requirement, the Agency Head is required to certify annually to NSW Treasury as to the accuracy of revised estimates, budget and forward estimates, and to having ensured that there is an effective system of internal control over the financial and related operations of the agency. The CFO Letter of Certification also provides the Agency Head with internal assurance from the CFO to support this certification to NSW Treasury. 1. A copy of the Letter of Certification is submitted to Treasury 2. In the case of the statement accompanying the financial statements, where there is a governing board, the statement is signed by at least two (2) members of the governing board 3. The Statement is required under sections 41C and 45F respectively of the Public Finance and Audit Act 1983 4. A Statement of Compliance with the Internal Audit and Risk management Policy is published in the Agency’s Annual Report. New South Wales Treasury Page 27 Certifying the effectiveness of internal controls over financial information tpp 14-05 Annexure B: Letter of Certification Template Letter of Certification To the Head of Authority of [agency name] Copied to NSW Treasury For the Financial Year [20XX-XX] Expression of opinion as to the effectiveness of internal controls over financial Information I [Chief Financial Officer of agency name] acknowledge my responsibility for the design, implementation and operation of internal control systems over the agency’s financial information. a) I certify that [agency name] had an effective40 system of internal control to ensure that financial information presenting the financial position and performance of the agency is true and fair in all material respects. OR b) I certify that, based on the annual evaluation of the system of internal control over financial information, one or more significant deficiencies have been identified41 that are likely to have adversely affected the ability of [agency name] to record, process, summarise and report financial information. These are set out in detail on the attached schedule. Other than the deficiencies identified, I certify that the integrity of the financial information has been based on a sound system of risk management and internal control that has been operating effectively. __________________________________ [name] Chief Financial Officer [Date] 40 In assessing effectiveness, the CFO should consider both whether the internal controls were appropriate and sufficient, as well as whether they were operating properly. 41 Includes significant deficiencies for part of the financial year New South Wales Treasury Page 28 Certifying the effectiveness of internal controls over financial information tpp 14-05 Action Plan Description of deficiency Complete as required Likely impact Measures to address Timeframe __________________________________ [name] Chief Financial Officer [Date] New South Wales Treasury Page 29 Certifying the effectiveness of internal controls over financial information tpp 14-05 Annexure C: Financial Information Internal Control Questionnaire The following Internal Control Questionnaire (ICQ) is intended to be an example of a useful tool for CFOs to use in assessing the effectiveness of controls relating to the preparation of financial statements and other financial information. Controls will be aimed at managing the risk of material misstatement or error within financial information that could result from errors in initiating, recording, processing or reporting transactions. Positive responses should provide a level of comfort and confidence to a CFO and provide a basis to assist them meet their obligations to certify that the agency has had an effective system of internal control to ensure that financial information is, in all material respects, true and fair. The ICQ builds upon existing financial reporting checklists that have been provided to agencies by NSW Treasury and has been supplemented, with permission, with material primarily from the ANAO. Questions relating specifically to internal controls have been drawn from the COSO Internal Control Framework guidance material. Further information on each of these resources can be accessed from: ANAO - http://www.anao.gov.au/uploads/documents/ANAO_FinStat_BPG.pdf COSO - http://www.coso.org/ The ICQ is illustrative and not exhaustive. While many of the questions relate to accounting standards and NSW Treasury policy requirements, the ICQ is not designed to reflect every standard and policy requirement. Questions relating to underlying processes supporting technical accounting requirements have also been included. Sample questions have been adapted for the NSW public sector and relate to both the specific preparation of the financial statement as well as regular reporting and the general management of financial internal controls. Some questions may only be relevant to the General Government Sector. The ICQ must be tailored to reflect the particular circumstances of each individual agency and the CFO should determine what the focus of the ICQ should be. Agencies must be mindful of the need and importance of covering high risk areas based on their Risk Assessment when customising this questionnaire for their own use. Prior to deployment, the ICQ, as tailored for the agency, must be approved by the Agency Head. The ICQ is to be completed by the CFO at the corporate level. The completion of the ICQ should be based on an appropriate consideration of risks within each major business unit area, including information received through the Management Certification process. The completed ICQ should be reviewed by the ARC (Core Requirement 5). Whilst it is envisaged that the questionnaire will be concluded prior to signing off on the CFO Letter of Certification, the evidence required to complete it will need to be planned, accumulated and documented by the CFO throughout the financial year. This will enable any potential departures to be identified early enough for remedial actions to be completed prior to final sign off. The ICQ is not required to be submitted to NSW Treasury but should be retained by the agency. New South Wales Treasury Page 30 Certifying the effectiveness of internal controls over financial information tpp 14-05 Financial Information Internal Control Questionnaire Template This Internal Control Questionnaire (ICQ) is an important assurance tool for CFOs and Audit and Risk Committees (ARCs). The design of the ICQ must be tailored to reflect the individual circumstances and risk profiles of the agency. Prior to deployment, the ICQ must be approved by the Agency Head. The ICQ must be completed by the CFO prior to the completion of the CFO Letter of Certification. Upon completion of the ICQ, significant issues identified that may impact on the quality of financial information and the effective operation of internal controls should be detailed in the schedule below. Action plans should be developed by management to overcome any deficiencies identified and these plans should be monitored by the CFO and overseen by the ARC and the Agency Head. ACTION PLAN ICQ# Description New South Wales Treasury Action(s) Responsibility Due Date Traffic Light Status Page 31 Certifying the effectiveness of internal controls over financial information tpp 14-05 FINANCIAL INFORMATION INTERNAL CONTROL QUESTIONNAIRE For reporting period [financial year 20XX – 20XX] Y N Comment A STRONG FINANCIAL MANAGEMENT CULTURE INCLUDING TONE AT THE TOP ICQ.1 Demonstrated commitment to integrity and ethical values • • • • ICQ.2 In your opinion, during the reporting period, did the agency have a culture that emphasised the importance of integrity and ethical behaviour? During the reporting period, was a code of conduct in place that is consistent with the government sector core values as outlined in the Government Sector Employment Act 2013? Was it implemented and enforced through the behaviours and attitudes demonstrated by senior management? Was adherence to the code of conduct and related polices monitored and deviations identified and remedied in a timely and consistent manner? Was there an on-going commitment and support by management for the effective implementation of financial management internal controls? This column may be used to document relevant actions, note any departures or concerns and identify any remedial or follow up actions. Audit and Risk Committee (ARC) oversight • During the reporting period, did the ARC complete its considerations of the financial statements as required by TPP 09-05 Internal Audit and Risk Management Policy for the NSW Public Sector? Were all issues raised satisfactorily resolved? CLEAR DEFINITION OF FINANCIAL REPORTING ROLES AND RESPONSIBILITIES ICQ.3 Oversight responsibilities • • • • • • During the reporting period, were agency structures and responsibilities defined and documented to ensure that financial management oversight responsibilities and expectations were established and well understood? Was financial information, including an analysis of the financial position and the projected financial outcome at year end, regularly reviewed (e.g., monthly) by the agency head and senior management? Did those in senior management with responsibility for financial management oversight hold the necessary expertise? Where relevant, did those tasked with financial management oversight responsibilities satisfy the necessary independence requirements to ensure that they were objective in their evaluations and decision making? Was there sufficient oversight for the overall system of internal control? Were robust arrangements in place for the approval, review and oversight over financial reporting at the business area/budget holder level? FINANCIAL REPORTING PLANNING ICQ.4 Planning and coordination of the preparation of the financial statements and financial information • • • Was a work plan and a timetable for the preparation of the financial statements and other financial information prepared, discussed and agreed with relevant stakeholders, including senior management and the Audit Office as relevant? Were formal arrangements in place to obtain appropriately certified information from other agencies that was required to be included within the agency’s financial statements and reporting information? Were contingency arrangements in place for any unexpected staff movements or unplanned leave that could affect the preparation of the financial statement process? New South Wales Treasury Page 32 Certifying the effectiveness of internal controls over financial information tpp 14-05 FINANCIAL INFORMATION INTERNAL CONTROL QUESTIONNAIRE For reporting period [financial year 20XX – 20XX] • • • • Y N Comment Were arrangements in place to regularly monitor and review implementation of the work to ensure the financial statements and other financial reporting requirements were completed in accordance with agreed timeframes? Were measures in place to align the scheduled meetings of the ARC/Chief Executive/Board with the completion and audit of the financial statements? Was the timing and completion of the financial statements and audit coordinated to meet deadlines in the NSW Treasury agency reporting timetable, and the requirements of the Public Finance and Audit Act 1983? Was a timetable for printing/publishing/distributing financial information established? APPROPRIATE ALLOCATION OF RESOURCES AND COMPETENT STAFF FOR FINANCIAL INFORMATION AND REPORTING FUNCTIONS ICQ.5 Management of resources • • • • • During the reporting period, were effective human resource policies and procedures implemented to recruit, train, promote, remunerate and retain skilled finance professionals? Does evidence exist that employees had the requisite financial knowledge, skills, expertise and qualifications (where appropriate) to perform their jobs? Did senior management evaluate financial management competence across the organisation, and provide training to support continuing professional development? Were sufficient people resources, with appropriate qualifications (where appropriate), knowledge and skills, committed to the preparation of financial information? Did officers involved in the preparation of financial statements and other financial information understand their responsibilities and the expectations placed on them to achieve a quality product within the agreed timetable? New South Wales Treasury Page 33 Certifying the effectiveness of internal controls over financial information tpp 14-05 FINANCIAL INFORMATION INTERNAL CONTROL QUESTIONNAIRE For reporting period [financial year 20XX – 20XX] Y N Comment IDENTIFICATION AND MONITORING OF FINANCIAL REPORTING COMPLIANCE OBLIGATIONS ICQ.6 Accounting policies • During the reporting period, were the agency’s accounting policies and procedures appropriate and consistent with the Australian Accounting Standards and requirements as outlined within Treasurer’s Directions, NSW Treasury Circulars and NSW Treasury Policy and Guidelines papers? This should include all relevant accounting policies as listed on the NSW Treasury website42 and may include but is not limited to: NSW Treasury Circulars • • • • • • • • • • • Mandatory Early Close Procedures Mandates of Options and Major Policy Decisions Under Australian Accounting Standards Accounting for Long Service Leave and Annual Leave Accounting for Commonwealth Paid Paternal Leave Land Under Roads Financial and Reporting Requirements arising from Personnel Services Arrangements. Financial reporting requirements for NSW Government Entities including those affected by restructures Determining the present value of a provision Accounting for Superannuation Accounting for Dividends Accounting for the Goods and Services Tax (GST) NSW Treasury Policies and Guidelines • Financial Reporting Code for the NSW General Government Sector Entities • Accounting for Financial Instruments • Valuation of Physical Non-current Assets at Fair Value. • Lessor Classification of Long Term Land Leases • Contributions by owners made to Wholly-owned Public Service Entities • Distinguishing For-Profit from Not-For-Profit Entities • Accounting for Privately Financed Projects • Guidelines for Capitalisation of Expenditure on Property, Plant and Equipment • • 42 Were changes in the agency’s accounting policies from previous reporting periods disclosed and the impact quantified in the financial statements, where necessary, and endorsed by the relevant stakeholders? Did the agency undertake a review of new or updated accounting standards? Were these changes incorporated into the agency’s accounting policies to ensure they were appropriately applied to financial information and reports? For a list of NSW Treasury Accounting Policies see: http://www.treasury.nsw.gov.au/Publications_by_Policy_Area#accounting or TPP Financial Reporting Code for the NSW General Government Sector Entities, Appendix 3. New South Wales Treasury Page 34 Certifying the effectiveness of internal controls over financial information tpp 14-05 FINANCIAL INFORMATION INTERNAL CONTROL QUESTIONNAIRE For reporting period [financial year 20XX – 20XX] ICQ.7 Legislative and policy compliance • • • • • • • ICQ.8 Y N Comment During the reporting period, were there any breaches of legislation and/or policy that could have an impact on the financial statements and other financial information? Were these breaches of legislation or policy addressed appropriately? Were monies expended for the purpose for which they were appropriated and was there compliance with the limit on any appropriation (i.e. limits were not exceeded)? Were rollovers of unspent appropriations appropriately approved? Were the financial impacts of any outstanding legal or contractual matters identified and reflected in the financial statements and other information, where appropriate? Were delegated powers appropriately exercised during the financial year? Was appropriate action taken regarding communications from regulatory authorities concerning non-compliance with, or deficiencies in, financial reporting practices or other matters that could have a material effect upon the financial statements? Accountability and compliance with policy and controls • • During the reporting period, did management hold individuals and/or business areas accountable for performance on policy compliance and internal control responsibilities such as good financial management and record keeping? Were any necessary corrective actions implemented accordingly? Were channels in place, such as whistleblowing hotlines, to enable the confidential communication of information? Were all whistleblower reports investigated? FINANCIAL INFORMATION RISK MANAGEMENT ICQ.9 Agency objectives • • For, and during, the reporting period, did the agency specify and document its financial information and financial reporting objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives? Was the agency tolerance for specific areas of risk identified and communicated? New South Wales Treasury Page 35 Certifying the effectiveness of internal controls over financial information tpp 14-05 FINANCIAL INFORMATION INTERNAL CONTROL QUESTIONNAIRE For reporting period [financial year 20XX – 20XX] ICQ.10 Identification and analysis of financial management risks • • • • • • • ICQ.11 • Following the risk assessment, did management ensure that suitable risk treatments were planned and implemented (where necessary)? Did regular monitoring and consideration of the identified risks and treatments take place? Assessment of fraud and corruption risk • • • ICQ.13 During the reporting period, did the analysis of financial management risks consider both internal and external factors and their impact on the achievement of objectives? Did the agency identify and assess risks at all levels relevant to the achievement of financial reporting objectives? As a minimum, were the risks which are commonly identified as risks that can impact the preparation of financial statements considered? This includes but is not limited to: o Unavailability of skilled resources o Unsuitable management information systems o The incorrect recording or non-recording of transactions o Non-compliance with legislation and/or policy o Restructures o Fraudulent activity and corruption o Untimely or inaccurate reporting of information Were effective risk management practices consistently applied throughout the agency during the reporting period? Were effective mechanisms in place to ensure that risk assessments received the appropriate attention from management? Were suitable processes in place to ensure that identified risks were analysed through a process that included estimating the likelihood, consequence and significance of the risk? Did the risk assessment determine the significance of the risk assuming existing controls fail? Treatment of risks • ICQ.12 Y N Comment During the reporting period, were there any instances of suspected fraud? If so, did the agency consider the financial information, systems and processes that may be affected? Were all instances of fraud or corruption reported to the Agency Head and ARC? During the reporting period, were factors that could place pressure on management to achieve financial results, and increase the risk of fraudulent financial reporting, considered? If so, were appropriate mitigation or control activities put in place? Identify and analyse significant change • • • During the reporting period, were arrangements in place to monitor any proposed changes to the agency’s business strategy, systems or processes that could have affected the financial statements? Did clearly understood reporting mechanisms exist to alert senior management to new and changing risks regarding the preparation of financial information? Were changes in management and their attitudes and philosophies regarding risk and internal controls considered? New South Wales Treasury Page 36 Certifying the effectiveness of internal controls over financial information tpp 14-05 FINANCIAL INFORMATION INTERNAL CONTROL QUESTIONNAIRE For reporting period [financial year 20XX – 20XX] Y N Comment INTERNAL CONTROLS ACTIVITIES FOR FINANCIAL INFORMATION AND REPORTING ICQ.14 Selection of internal controls • • • • • • • ICQ.15 Policies and procedures • • ICQ.16 During the reporting period, did the agency have internal controls that had been selected and developed to contribute to the mitigation of risks to accurate and timely financial reporting? Were internal controls in place to ensure compliance with legislation (e.g. the Public Finance and Audit Act 1983), Australian Accounting Standards and other regulations relevant to the preparation of financial statements and other financial information? Were internal controls within the agency sufficiently robust to prevent, detect or correct error, misstatement or fraud? Did accounting and business systems that record and monitor financial transactions operate effectively throughout the year? If not, were alternative measures implemented to correct deficiencies? Were the internal controls relating to key IT systems that underpin the collection, recording processing and presentation of financial information tested and did these operate as intended? Were all internal controls relevant to the preparation of financial information identified and documented to enable a comprehensive analysis to be undertaken of their effectiveness? Were measures in place to ensure that segregation of duties was applied to control activities to better enable the detection and prevention of fraud and error? Were internal controls reinforced through clear policies and guidelines, so that employees knew what was expected and how to implement internal controls? Was training provided (where necessary)? Were effective mechanisms in place to establish responsibility and accountability for the implementation of internal control policies and procedures? Preparation of Financial Reports and Information NSW Treasury Checklists and Procedures • Were all early close procedures as outlined in NSW Treasury’s annual instructions considered and completed accordingly? • Were the procedures outlined within the annual Financial Reporting Checklist as provided by NSW Treasury considered and completed accordingly? End of Financial Year Close • Was the accounts close completed in line with the close timetable and NSW Treasury deadlines (including early close requirements)? • Were lessons learnt from the accounts close process logged and reviewed by management? Were lessons from previous years acted upon for the financial year? Presentation and Disclosure • Were steps taken to ensure that the financial statement items and corresponding notes: o reflected the re-stating of comparative year figures, where appropriate o were supported by lead schedules and other supporting documentation, reconciling to the trial balance, where appropriate, and o were free from arithmetical and typographical errors? New South Wales Treasury Page 37 Certifying the effectiveness of internal controls over financial information tpp 14-05 FINANCIAL INFORMATION INTERNAL CONTROL QUESTIONNAIRE For reporting period [financial year 20XX – 20XX] Y N Comment Notes to the Financial Statements • Were specific notes and disclosures prepared as required by the Australian accounting standards and NSW Treasury Accounting Policy: Financial Reporting Code for the NSW General Government Sector Entities? • Were any other disclosures required to present a true and fair view included in the financial statements? General and Subsequent Events • Were there any events or transactions (other than those reflected or disclosed in the financial statements) that should have been disclosed to prevent misleading the users of the financial statements? • Are you satisfied that any events occurring after the reporting date were adjusted or disclosed in the financial statements where appropriate? Group Financial Statements • Are you satisfied that the group financial statements included the results of the parent entity and all subsidiaries, associates and joint ventures as appropriate? • Are you satisfied that all special purpose entities that are controlled by the entity were consolidated in the group financial statements? ICQ.17 General Procedures and Practices concerning the preparation of Financial Information Analysis and adjustment of errors and misstatements • Was an appropriate materiality threshold set by the agency for the analysis and adjustment or errors and misstatements? Were the materiality thresholds applied during the preparation of the financial statements endorsed by the ARC and the Agency Head? • Were errors or misstatements identified during the year analysed to consider their impact on financial reporting and decision making? Were all material errors or misstatements corrected? Was the root cause of material errors investigated and any control weaknesses resolved? Analytical procedures • Were analytical procedures used to identify any unusual relationships and items within draft financial reports which could indicate issues with accuracy and completeness? • Were unusual relationships and items within draft financial reports investigated and corrected where necessary to ensure financial information was reliable? Was the possibility of systematic breakdowns in internal controls considered? • Were explanations obtained for significant variations in financial results when compared to the previous year and the current year’s budget? Was management satisfied that the explanations were reasonable? • Were significant non-recurring transactions or events adequately explained? Were they checked to ensure the correct accounting treatment was applied? • Were significant accounts identified and checked for accuracy ahead of the financial statement preparation? • Were critical business processes and systems evaluated to ensure the accuracy of the financial information generated? New South Wales Treasury Page 38 Certifying the effectiveness of internal controls over financial information tpp 14-05 FINANCIAL INFORMATION INTERNAL CONTROL QUESTIONNAIRE For reporting period [financial year 20XX – 20XX] Y N Comment Reconciliations • Were reconciliations completed between data outputs from financial and other related ICT systems? • Were there appropriate checks in place to ensure financial analysis was accurate and could be reconciled back to source data? Variance analysis and forecasting • Were accruals-based management accounting reports prepared regularly (e.g. monthly)? • Was routine analysis performed and were any problems that were identified addressed promptly? (This includes the analysis of variances and the management of projected overspends). Accounting estimates and methodology • Were the methodology and techniques used for developing accounting estimates documented? Was this methodology based on appropriate accounting policies? • Were accounting estimates based on sound assumptions about future conditions, transactions or events that affect the estimates? Were the assumptions routinely tested to ensure they remained valid? • Was sufficient, relevant data collected on which to base the accounting estimates? Was the basis for the estimates reasonable and accurate? ICQ.18 Management Certifications • • ICQ.19 Were the financial statements and other financial information supported by management sign-offs from budget holders and appropriate business area managers? Were the management certifications supported by appropriate documentation, where applicable? Managing outsourced service providers • • • During the reporting period, were outsourced service providers governed by a service level agreement with clearly defined objectives, service outputs, performance indicators and measures? Was the performance of the service provider regularly monitored and measured against the service level agreement? Was a letter of certification meeting the satisfaction of the agency as to the effectiveness of the internal controls in the service organisation (as they relate to, and impact on, the agency’s financial information) received from the outsourced service provider? EFFECTIVE FINANCIAL INFORMATION MANAGEMENT INCLUDING PROPER RECORD KEEPING ICQ.20 Documentation • • • During the reporting period, was key documentation supporting the preparation of the financial statements and other financial reports maintained? This may include analyses performed, management representations, checklists, technical advice, registers, correspondence concerning significant matters and work schedules. Were there any significant management judgements and estimations made? If so, did the agency adequately disclose and document this information? Was all information from other entities that was required to be included in the financial reports (including financial statements) obtained? Was this information appropriately certified in accordance with the agreed arrangements? New South Wales Treasury Page 39 Certifying the effectiveness of internal controls over financial information tpp 14-05 FINANCIAL INFORMATION INTERNAL CONTROL QUESTIONNAIRE For reporting period [financial year 20XX – 20XX] • • • Y N Comment Did financial records meet the requirements of the State Records Authority? Were suitable financial records, as outlined in the Client Assistance Schedules and Client Service Plans (issued by the external audit teams) as a minimum, available for the external auditors? Were accounting records retained in accordance with the NSW Treasury and ATO requirements? FINANCIAL INFORMATION AND REPORTING PERFORMANCE MONITORING AND EVALUATION ICQ.21 Treatment of deficiencies • • ICQ.22 Quality assurance • • • • • ICQ.23 During the reporting period, were identified internal control deficiencies evaluated and communicated in a timely manner to those responsible for taking action including those with oversight responsibilities? Were appropriate measures in place to track whether corrective actions had delivered the required results on a timely basis? During the reporting period, were the financial statements and other financial information subject to appropriate quality assurance reviews to ensure that they had been prepared in accordance with NSW Treasury’s policies and Australian Accounting Standards? Were there any instances where the quality of financial information was raised as an issue? (For example, by internal or external audits). If so, was appropriate remedial action taken in response and the ensuing results monitored? Were all matters raised by the ARC from its review of the financial statements and other financial information during the reporting period addressed? Did the agency identify any significant or material issues arising during the financial management oversight processes (e.g. reconciliations)? If so, did the agency consider the impact on the quality of financial information and reporting? Were these issues resolved? During the reporting period, were there instances of the untimely reporting of information? If so, was appropriate remedial action taken in response? Audit • • • • • Were records and related information that support the financial statements made available to external audit e.g. Board minutes, accounting records, third party documents, relevant ministerial approval/determinations? Were the reasons for not correcting any errors or misstatements identified by external audit reported to the Chief Executive/Board/ARC, where appropriate? Was the audit opinion including issues arising from the audit discussed with the NSW Audit Office? Were remedial measures taken (or proposed) to address the issues raised by external audit, including any adjustments necessary to the financial statements? Were any legal compliance issues raised by internal and/or external audit adequately addressed and reflected in the financial statements, where appropriate? New South Wales Treasury Page 40 Certifying the effectiveness of internal controls over financial information tpp 14-05 FINANCIAL INFORMATION INTERNAL CONTROL QUESTIONNAIRE For reporting period [financial year 20XX – 20XX] Y N Comment CONTINUOUS IMPROVEMENT ICQ.24 Evaluations • ICQ.25 Were all internal controls relevant to the preparation of financial information identified and documented to enable a comprehensive analysis to be undertaken of their effectiveness? • Was adequate monitoring and evaluation of internal controls in place to ensure that they were proportionate and operating as intended? Changes to the environment • • • • • During the reporting period, were there any changes to internal controls, systems or procedures related to financial information that may have affected the quality and integrity of financial information? Was the agency subject to any machinery of government changes that may have impacted the allocation of resources and the preparation of financial information? Were there any new contracts, partnerships or commercial activities that required consideration and attention when considering internal controls? Was there a process for identifying and responding to changes to financial reporting requirements and the operational environment? Did internal audit or any other external consultancy/assurance body provide recommendations to improve the internal controls over the provision of financial information? If so were these recommendations monitored through to successful implementation by management, the Agency Head and the ARC? New South Wales Treasury Page 41 Certifying the effectiveness of internal controls over financial information tpp 14-05 Annexure D: Certifications from Management TPP 09-05 requires the Audit and Risk Committee to be satisfied that the financial statements are supported by appropriate management sign-offs on the statements and on the adequacy of the systems of internal control. The exact nature of these sign-offs will vary. However, agencies may consider using a tool, similar to the Management Certification Questionnaire included below, to obtain certifications from relevant business unit managers/budget holders within their agency. Alternatively, agencies may develop a Management Certification Questionnaire that is derived from the ICQ or a combination of these approaches. Information returned within completed questionnaires should provide the CFO with a level of confidence that business areas have a clear understanding of their financial reporting and internal control obligations, and that these have been implemented and have been operating effectively across the entire organisation. As is the case with the Internal Control Questionnaire, the template should be tailored to meet the particular circumstances of the agency. The selected questions should enable both the business area manager and the CFO to determine whether there are any issues that may impact on the agency’s system of internal control and the quality of financial information. Questions may therefore focus on those areas where the agency has identified particular risks or on those areas where the CFO has less visibility of operational practices and outcomes. It is envisaged that whilst the Management Certification Questionnaire is to be completed prior to the CFO Internal Control Questionnaire, business managers will be advised of the requirements of the Questionnaire and understand their obligations well in advance of the deadline for completion. This will enable any potential weaknesses to be identified and appropriate remedial actions to be undertaken before final sign off by the business manager. The questions provided below are for illustrative purposes only and should not be considered exhaustive. New South Wales Treasury Page 42 Certifying the effectiveness of internal controls over financial information tpp 14-05 Management Certification Questionnaire Template Introduction and Overview The following questionnaire and certification is necessary and required so that the Chief Financial Officer (CFO) is able to certify that [AGENCY NAME] has had a sound system of risk management and internal control to ensure that the agency’s financial information is true and fair, in all material respects. At a minimum, when making the certification, NSW Treasury requires the CFO to consider the following: financial management culture (including tone at the top) clarity of roles and responsibilities relating to financial reporting sufficiency and appropriateness of financial reporting planning sufficiency of resources and competency of staff responsible for financial reporting compliance with financial reporting obligations financial information risk management effectiveness of internal control activities effectiveness of financial information management including proper record keeping financial information and reporting performance monitoring and evaluation continuous improvement processes. Managers have a key role in implementing and overseeing key internal controls within their areas that affect the agency’s financial information and financial reporting. In recognition of this, it is a requirement of NSW Treasury that the CFO must request and consider certifications provided by management as part of the process underpinning the certification. This questionnaire is designed to meet that requirement. The questionnaire covers the financial year [INSERT FINANCIAL YEAR]. New South Wales Treasury Page 43 Certifying the effectiveness of internal controls over financial information tpp 14-05 Certification by Business Area Manager a) I acknowledge and understand my responsibilities for ensuring that financial information as it relates to [INSERT BUSINESS AREA] is in line with [INSERT AGENCY]’s policies and procedures. b) I acknowledge my responsibility for the implementation and operation of internal control systems over the financial and related operations of the agency as they relate to my business area. c) I certify that, to the best of my knowledge and belief, any issues relevant to my business area, which in my opinion, may have impacted the preparation of financial statements and information and the effective operation of internal controls during the financial year [INSERT FINANCIAL YEAR] have been identified in the significant issues schedule below. Where deficiencies have been identified, corrective actions and timeframes for their completion have been proposed. d) I have complied with the requirements of the CFO’s Management Certification Questionnaire, and the information provided for the financial year [INSERT FINANCIAL YEAR] is accurate and complete. ACTION PLAN MAQ# Deficiency Action(s) Responsibility Due Date Traffic Light Status Signature of business area manager________________________________ Business area___________________________________________________ Date___________________________________________________________ New South Wales Treasury Page 44 Certifying the effectiveness of internal controls over financial information tpp 14-05 MANAGEMENT CERTIFICATION QUESTIONNAIRE TEMPLATE For reporting period [financial year 20XX – 20XX] Y N Comment A STRONG FINANCIAL CULTURE INCLUDING TONE AT THE TOP MAQ.1 • • Were all employees in your business area informed of the code of conduct and did you monitor their compliance with this code? Did you take steps to create and maintain a culture within your business area that emphasised the importance of the effective implementation of financial management internal controls and high quality financial information? This column may be used to document relevant actions, note any departures or concerns and identify any remedial actions. CLEAR DEFINITION OF FINANCIAL REPORTING ROLES AND RESPONSIBILITIES MAQ.2 • • Were the financial responsibilities of the staff within your business area clearly communicated to establish performance expectations, accountability and control? During the reporting period, did robust arrangements exist within your business area to review and approve the preparation of financial information? FINANCIAL REPORTING PLANNING MAQ.3 • • • Did documented roles and responsibilities of staff in your business area ensure that all relevant objectives relating to the preparation of financial information were identified and assigned appropriately? Were arrangements in place to ensure that information required from third parties for inclusion within financial information was received on time and is certified appropriately? Can you confirm the following for the financial year: a) Your business area was prepared for possible business disruptions b) Your business area managed business continuity in line with the agency’s policy and mitigation strategies were implemented where necessary. c) Contingency plans were reviewed and updated where necessary. APPROPRIATE ALLOCATION OF RESOURCES AND COMPETENT STAFF FOR FINANCIAL INFORMATION AND REPORTING FUNCTIONS MAQ.4 • Were there sufficient resources within your business area, with the appropriate levels of expertise and knowledge, committed to the financial information preparation process? • Did those tasked with oversight responsibilities hold the necessary expertise? IDENTIFICATION AND MONITORING OF FINANCIAL REPORTING COMPLIANCE OBLIGATIONS MAQ.5 • • • • • Did your business area have effective systems to enable it to comply with its legislative and policy obligations, including adequately documented policies, procedures and other documents that were easily accessible by relevant staff? Did you take steps to create and maintain a culture within your business area that encouraged legislative compliance, including encouraging relevant officers to seek legal, expert or NSW Treasury advice in situations where the risks associated with non-compliance were high? Were new staff informed about their legislative and policy responsibilities and were all staff provided with information and training to maintain and update their knowledge of obligations as required? During the reporting period, did your business area have effective processes to assist it to prevent, identify, report, remediate and monitor breaches of legislation? Were any significant breaches of legislation reported to executive management? New South Wales Treasury Page 45 Certifying the effectiveness of internal controls over financial information tpp 14-05 MANAGEMENT CERTIFICATION QUESTIONNAIRE TEMPLATE For reporting period [financial year 20XX – 20XX] MAQ.6 Y N Comment Delegations • Are you satisfied that administrative and financial delegations were followed in accordance with prescribed guidelines? FINANCIAL INFORMATION RISK MANAGEMENT MAQ. Identification and analysis of risks 7 • Were the financial reporting objectives of your business area sufficiently documented to enable the identification and assessment of risks? • Were effective risk management practices relevant to the achievement of financial reporting objectives implemented across your business area over the reporting period? • Were all identified risks considered and addressed by your business area or escalated appropriately to Senior Management for further attention? MAQ. Fraud Risk 8 • During the reporting period, was any fraud and/or error involving management or employees detected within your Business Area? • If there were any fraud or error events that had, or that may have, an impact on the agency’s financial information please provide: a) Details of the evidence uncovered b) Details of any subsequent action taken c) Confirmation of no loss of public monies d) Advice on whether ICAC was informed. INTERNAL CONTROL ACTIVITIES FOR FINANCIAL INFORMATION AND REPORTING MAQ. Selection of controls 9 • During the reporting period, did your business area operate internal controls selected and developed to contribute to the mitigation of risks associated with the preparation of financial information? • Can you confirm that adequate internal controls operated in your business area during the reporting period and that there was no significant breakdown in these controls? MAQ. Employee entitlements 10 • Can you confirm that, during the reporting period, employee advances, including travel advances, were authorised by the appropriate officer and reconciled at the end of the period/trip, with all outstanding monies promptly being returned to the agency? MAQ. Assets - Cash Floats and Bank Accounts 11 • Can you confirm that: a) All bank accounts were reconciled at least on a monthly basis and appropriate action taken to investigate and resolve any unexpected items? b) All cash floats, including advance accounts/witness advances, petty cash and change/counter cash advances, were reconciled and verified by a senior officer as required throughout the year? c) You obtained the necessary prior approval for any new bank accounts opened during the reporting period? MAQ. Assets - Receivables 12 • Are you satisfied that: a) Invoices were raised for all recoverable debts, based on purchase orders received, service delivery agreements or other written evidence? b) All receipts were correctly allocated against the appropriate debtors to reduce the amounts outstanding? c) Assessments were made as to whether outstanding invoice amounts were recoverable and, where applicable, adequate provisions for doubtful debts were made, and any bad debts written off? New South Wales Treasury Page 46 Certifying the effectiveness of internal controls over financial information tpp 14-05 MANAGEMENT CERTIFICATION QUESTIONNAIRE TEMPLATE For reporting period [financial year 20XX – 20XX] d) e) MAQ. 13 MAQ. 14 MAQ. 15 MAQ. 16 Y N Comment There was an effective process for working with the finance function to assess and approve the write-off of bad debts? The Audit and Risk Committee was provided with a summary of bad debts written off in the year for each category of revenue? Commitments, Contingent Assets and Liabilities • Can you confirm that: a) All capital and other expenditure commitments were advised to Corporate Finance for inclusion in the accounting records of the agency? b) All operating lease commitments were inclusive of management fees and other charges covered by operating lease agreements? c) Any contingent liabilities were advised, including details of litigation or threatened litigation against the agency? d) Any contingent assets were advised? Physical Assets • Can you confirm that: a) All assets were accounted for and any discrepancies notified to the appropriate branch for rectification. b) Notification of transfers or disposals of assets (including transfers between business centres) was made to the relevant finance officers for adjustment of the fixed asset register c) There were no impediments or charges over the assets and/or no assets were pledged? d) Management provided valuers with suitable and consistent instructions about valuation assumptions to be applied. Accruals • Can you confirm that: a) All relevant creditor accruals (goods or services that have been contracted for and received but which have not been paid) were recognised as at [Insert date] b) All relevant debtor accruals (goods or services that have been contracted for and delivered but for which payment has not been received) were recognised as at [Insert date] c) All goods received were receipted and all services delivered were invoiced as at [Insert date] d) All quantity and price mismatches were investigated and resolved within 30 days e) No accruals have since come to your notice that would require adjustment in the accounting records f) Appropriate procedures were established for receiving goods and services? • Were any significant judgements and estimates of uncertainty made? (This may also include the determination of discount rates, inflation and other rates etc) If so, were such assumptions consistent with applicable accounting standards, NSW Treasury guidance and previous year assumptions? • Were such assumptions reviewed and endorsed by management in particular before being applied by external experts such as valuers and actuaries? Managing contractors and consultants • Were all appropriate returns covering the engagement of consultants and contractors for the financial year provided to the relevant division(s)? • Were all authorisations for the engagement of consultancy services in accordance with agency guidelines? New South Wales Treasury Page 47 Certifying the effectiveness of internal controls over financial information tpp 14-05 MANAGEMENT CERTIFICATION QUESTIONNAIRE TEMPLATE For reporting period [financial year 20XX – 20XX] MAQ. 17 Y N Comment General • Did the following occur in your business area during the reporting period: a) Any event, circumstance or information that had, or may have, such a financial impact that could make the agency’s financial information (including financial statements) misleading or incomplete? b) Any change in strategic direction of your business area, or a legislative change that caused an impact on the financial affairs of the agency? EFFECTIVE FINANCIAL INFORMATION MANAGEMENT INCLUDING PROPER RECORD-KEEPING MAQ. 18 Policies and procedures • Can you confirm that: a) Manuals were in place for all major systems and procedures b) These manuals were updated and adjusted on a timely basis c) If manuals did not exist, steps are being taken to ensure their implementation as soon as possible. MAQ. 19 Accounting Records Were all financial transactions of your business area properly recorded (with working papers) in the accounting records, audit files and systems? Were appropriate accounting records kept and relevant action taken with regard to the following: a) The issue of purchase orders in accordance with legislative requirements, including with respect to government contracts where appropriate, and the obtaining of quotations where necessary. b) The proper approval, verification and authorisation of vouchers or orders in accordance with Treasurer’s Directions and supported by appropriate documentation. c) The proper approval of vouchers involving expenditure, including air travel, by business centre managers by their direct manager, including the Agency Head, where appropriate. d) The timely issue of receipts and daily banking as appropriate. FINANCIAL INFORMATION AND REPORTING PERFORMANCE MONITORING AND EVALUATION MAQ. 20 Treatment of deficiencies • Were any identified deficiencies in internal controls relevant to the preparation of financial information communicated and escalated appropriately for consideration and action? MAQ. 21 Quality checks • Was the financial information generated by your business area subject to appropriate quality checks? MAQ. 22 Internal and external audit reports • Can you confirm that all recommendations or matters for action arising from Audit Office and internal audit reports, particularly high and medium risk matters, relating to your business area prior to, or during the reporting period, were actioned and closed off during the year or appropriate steps were taken to action such matters? • If appropriate steps have not been taken to date, what proposed actions and timetables are in place to ensure implementation? New South Wales Treasury Page 48 Certifying the effectiveness of internal controls over financial information tpp 14-05 MANAGEMENT CERTIFICATION QUESTIONNAIRE TEMPLATE For reporting period [financial year 20XX – 20XX] Y N Comment CONTINUOUS IMPROVEMENT MAQ. 23 Evaluations and changes to the environment • Did you monitor internal controls within your business area to ensure that they were functioning as intended and were still relevant? • Was there a process within your Business Area to identify, respond to and monitor changes to financial reporting requirements and any changes to the environment? QUESTIONNAIRE ADMINISTRATION MAQ. 24 • This questionnaire may be subject to audit or consideration by the Audit and Risk Committee. Please confirm that a permanent record has been created in respect of this questionnaire. New South Wales Treasury Page 49 Certifying the effectiveness of internal controls over financial information tpp 14-05 Annexure E: Audit and Risk Committee Checklist What to ask Who to ask What to look for Have responsibilities for financial reporting internal controls been clearly defined? Agency Head/ CFO/ Senior Management Have those with responsibility and accountability for financial reporting internal controls had a clear understanding of their respective responsibilities and accountabilities? Have the responsibilities and accountabilities for financial reporting internal controls been clearly documented and made available to relevant officers? Has there been sufficient resourcing to allow for proper definition of roles and responsibilities including segregation of duties? Have internal controls during the reporting period been adequate? Were the internal controls operating effectively throughout the reporting period? What foundations and better practices have supported good financial reporting within, and by, the agency? Has there been any information arising from the ARC deliberations throughout the year that contradict the CFO’s assessment of the internal controls? Has the impact of these deficiencies been documented and justified? Has there been, or is there, an adequate action plan established to address these deficiencies? Have there been appropriate monitoring procedures to track progress against action plans in order to address deficiencies? Have all identified deficiencies been satisfactorily addressed? Have all the Core Requirements and relevant Annexure templates in the Policy and Guidelines Paper – Certifying Effectiveness of Internal Controls over Financial Information - been appropriately considered? Have appropriate certifications been obtained from management? Is there consistency between the management certifications provided and the assessment made in the CFO Certification? Has a certification letter that provides an independent opinion on the design and operating effectiveness of controls for each external service provider as they relate to the agency’s financial reporting been provided? If so, what were the results and do the results affect the integrity of the agency’s financial information and financial reporting? If so, were there any significant or extreme risks identified? What action was, or is being, taken to address those risks? If not, when will the next risk assessment be undertaken? How have processes/controls been adjusted to reflect new or changing risks, or operational deficiencies? During the financial year, have internal controls, (including controls over disclosure and financial reporting processes) been adequate and effective? Has the CFO deemed the evaluation of internal controls over financial information to have significant deficiencies? What has the CFO done to confirm their certification of the internal controls over financial information? Has a financial reporting risk assessment been undertaken? CFO CFO CFO CFO New South Wales Treasury Page 50 Certifying the effectiveness of internal controls over financial information tpp 14-05 What to ask Who to ask What to look for What have been, or are, the implications of changes in accounting policies due to new accounting standards and/or interpretations? CFO What impact has there been on the financial statements? Have there been, or are there, any capital management issues? Has there been any requirement to restate the previous year’s statements to ensure comparability with the current year? Has this been suitably explained in the notes to the financial statements? Have there been any indicators of fraud present? Management/ external auditor /internal auditor Have these been addressed by management? Has the impact been assessed? Has financial information being received from management and others been timely and fit for purpose? CFO Has information been readily received from management and others to meet regular reporting deadlines? Have ad hoc requests for financial information been readily addressed? Has financial information from managers and others been relevant, reliable, comparable and understandable? Has the finance function been required to invest significant time following-up requests for information? Has the ARC been given sufficient time to review the financial statements? New South Wales Treasury Page 51 Certifying the effectiveness of internal controls over financial information Annexure F: tpp14-05 Process Flowchart for Compliance with the Core Requirements Conduct financial reporting risk assessment Develop/review Internal Control Questionnaire Agency Head Audit and Risk Committee External Service Providers Management CFO CFO Certification of the system of internal controls over financial information New South Wales Treasury (draft) Develop/review Management Certification Questionnaire Internal Control Questionnaire used as a basis to identify deficiencies and implement action plans to address these in preparation for signing off Management Certification Questionnaire used as a basis to identify deficiencies and implement action plans to address these in preparation for signing off ICQ completed CFO Letter of Certification Copy of CFO Letter of Certification submitted to Treasury when accepted by CEO Management Certification Questionnaire completed and provided to CFO Certification letter as to the design and operating effectiveness of internal controls as they relate to, and impact on, the financial information and reporting services provided Provide advice to agency head Review CFO Letter of Certification Reviews CFO Letter of Certification in light of ARC feedback Page 52 Certifying the effectiveness of internal controls over financial information Annexure G: tpp14-05 Better practice checklist: Planning the preparation of financial statements (Source: Australian National Audit Office (ANAO) June 2013 Preparation of Financial Statements by Public Sector Entities, Better Practice Guide) Better practice entities will establish the following practices in planning the preparation of their financial statements: identifying requirements and risks at an early stage liaising regularly with stakeholders formally allocating responsibilities - errors are reduced when rigorous reviews of information are performed and accountability for error correction is assigned to the originating unit determining realistic elapsed times for each activity. Information about timeframes assists in planning the total resource requirements, enabling a more realistic estimate of workloads and completion dates, as well as early identification of resource gaps preparing detailed plans covering key activities, responsibilities and timelines. Accurate times are defined for tasks that have very tight deadlines, or for tasks that have consequential effects on other activities. Relevant stakeholders are consulted to agree and plan deadlines obtaining early finalisation and approval of the work plan and prompt promulgation to relevant staff so that they can plan to meet the required deadlines. The work plan is also agreed with external audit and aligned with their timetable preparing clear, easy-to-follow instructions and checklists that are linked to the work plan, providing detailed and specific guidance on a wide range of tasks, such as accrued and unearned income, accruals and prepayments, journal entry processing and reconciliations. Instructions can include clearly documented chart of accounts, process flow charts and user instructions strictly enforcing deadlines establishing arrangements that enable the finance team to consider in a timely manner the financial statement implications of business developments identifying accounting requirements at an early stage, and seeking continuous and demonstrable improvement. A culture of continuous improvement might include the phasing-in of improvements so that practices are embedded into day-to-day work programs and are not 'one-off' experiences. Feedback on 'what went right and what went wrong' in order to learn from past experience is an important input to planning work requirements. New South Wales Treasury Page 53 Certifying the effectiveness of internal controls over financial information Annexure H: Obligation tpp14-05 Register of compliance obligations sample template Description Timing/ Key dates Officer Related Agency policies/ strategies Evidence of compliance Legislative/Regulatory Requirements: Key Policies: Grant/Contract Conditions: Other: New South Wales Treasury Page 54 Certifying the effectiveness of internal controls over financial information Annexure I: tpp14-05 Flowchart of steps in risk assessment and treatment (Source: NSW Treasury August 2012 Risk Management Toolkit for NSW Public Sector Agencies, TPP 12-03) Consider the possible sources of risks IDENTIFY Describe and document the risk Identify risks to objectives Identify and assess existing controls Determine the consequences of the risk assuming existing controls fail and after existing controls COMMUNICATE AND CONSULT Document the level of risk assuming existing controls fail Determine the likelihood of the risk assuming existing controls fail and after existing controls Document the level of risk after existing controls Combine to determine the level of risk Compare with tolerance for risk. Acceptable? EVALUATE Yes Document MONITOR AND REVIEW ANALYSE No Prioritise TREAT Assign risk owner Develop risk treatment No Develop and implement Risk Treatment Plans Compare with tolerance for risk. Acceptable? Implement Risk Treatment Plans New South Wales Treasury Document Yes Document selected treatments and review and reporting requirements in risk treatment plans Page 55 Certifying the effectiveness of internal controls over financial information tpp14-05 References Australian National Audit Office, June 2013, Preparation of Financial Statements by Public Sector Entities, Better Practice Guide, Commonwealth of Australia Audit Office of NSW, July 2006, Fraud Control Improvement Kit: Meeting your Fraud Control Obligations, Better Practice Guide Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2013, Internal Control – Integrated Framework Institute of Chartered Accountants in Australia, Best Practice Guidance Note 4 – The year-end process: planning and Best Practice Guidance Note 5 – Project managing the year-end: execution International Organization of Supreme Audit Institutions, Guidelines for Internal Control Standards for the Public Sector, INTOSAI Professional Standards Committee National Audit Office (UK), January 2010, The Statement on Internal Control: A Guide for Audit Committees, London NSW Treasury, 2009, Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 09-05), NSW Government NSW Treasury, 2012, Risk Management Toolkit for NSW Public Sector Agencies (TPP 12-03) NSW Government NSW Treasury, Financial Reporting Checklist for Early Close and Year-end Reporting, NSW Government Public Accounts Committee of the Legislative Assembly, October 2010, Financial Report on Quality and Timeliness of Financial Reporting, NSW Parliament Standards Australia, 2006, Australian Standard: Compliance Programs AS 3806-2006 Victorian Department of Treasury and Finance, May 2013, Standing Directions of the Minister for Finance and Associated Rules and Supplementary Material New South Wales Treasury Page 56
